Makoto Fujiwara <makoto%ki.nu@localhost> writes:
> node-js issue:
> http://www.ki.nu/pkgsrc/reports/current/NetBSD-9.0/20220524.1616/nodejs-18.2.0/build.log
Also, nodejs is failing to build for me on macOS 10.13. I haven't
figured out why and I'm not sure it is the same thing.
> Probably, everybody know the problem, but let me confirm:
>
> It is the issue on openssl included in Release
> (the symbol = definition is not in openssl in 9.0).
>
> If it is built on (at least) 9.1_STABLE
> ----
> NetBSD pisa 9.1_STABLE NetBSD 9.1_STABLE (XEN3_DOM0) #0: Thu Mar 11
> 16:17:14 UTC 2021
> mkrepro%mkrepro.NetBSD.org@localhost:/usr/src/sys/arch/xen/compile/XEN3_DOM0 amd64
> ----
> It builds fine.
So we need to think hard about what we mean by pkgsrc and support for
releases. There are three possibilities:
a. the package should build on the original release (9.0_RELEASE)
b. the package should build on the most recent point release
(9.2_RELEASE)
c. the package should build on the release branch (netbsd-9)
(c) is not reasonable. We have generally meant (a) for building, and
sort of (b) for working correctly when there is a bug in older formal
releases. In other words, we support 9.0 for building, but we don't
necessarily work around bugs.
> Probably
> 1. Update build server to 9.2 and use pkgtools/libkver to fake to be 9.0
> or
That is more or less declaring option b
> 2. Use (include) pkgsrc/security/openssl (by condition ?)
I don't like this, because it drags in pkgsrc openssl when there is
almost no reason.
> 3. Just ignore these by the time -10.0 ready
> or,
> (we should think about for quarterly release build anyway ?)
I don't understand this at all. pkgsrc is documented to support the
most recent two formal releases. So after 10.0_RELEASE has happened --
and I'm pretty sure that's not before 2022Q2 is out -- then after some
short interval there will likely be formal EOL of NetBSD 8. But
de-supporting 9 will happen after 11 is out, and my crystal ball says
that's in spring of 2025. So perhaps 2025Q2 might be the last to
support 9.
> I'm tempted to above 1, but upgrading is non-trivial work for me.
Automating upgrades probably needs more work; this shouldn't be hard,
but that's not really the main issue here.
So back to the issue: nodejs 18.2.0 fails because it tries to use
RSA_get0_pss_params.
netbsd-9 reports "OpenSSL 1.1.1k 25 Mar 2021" and RSA_get0_pss_params
and RSA_get0_crt_params are both present in /lib/libcrypto.so.14.0.
(RSA_get0_pss_params and RSA_get0_crt_params are both not present in
/lib/libcrypto.so.12.0 on my systems, dated April 2020 on one (stable
system, upgraded slowly) and March 2019 on another (test, updated
aggressively), and I'm guessing that is from netbsd-8.)
Looking in src/crypto/external/bsd/openssl/dist/include/openssl/rsa.h
I see that RSA_get0_pss_params was added from release on 2020-04-27,
importing 1.1.1g, from CVS history, and I see this in CHANGES-9.1.
So the big questions are
What does nodejs document for an openssl prereq?
Is there any way to patch nodejs to be ok with the earlier 1.1.1 that
is in 9.0_RELEASE, without hurting those with newer openssl?
Does marking that nodejs needs openssl >= 1.1.1g result in pulling in
pkgsrc openssl on 9.0_RELEASE, and not on 9.1_RELEASE?
Do people think we should document that pkgsrc only supports the most
recent formal release of a branch (and the tip of stable branch beyond
that)? And therefore have a rule that official build machines must be
updated to that branch? And maybe that it's ok not to fake kver to
9.0, and maybe even that it's bad to do so? (Personally I think we
can fix the nodejs issue without opening the can of worms, but I'm
also not personally interested in supporting versions for which there
is a stable upgrade that people should have updated to.) This is in my
view a major shift, and needs a new thread on tech-pkg@. Please feel
free to tell me offlist to start that discussion, or start it
yourself.
Attachment:
signature.asc
Description: PGP signature