Difference between pages "Ebuild Functions" and "Package:OpenSSL"

(Difference between pages)
(pkg_pretend)
 
 
Line 1: Line 1:
== Ebuild Functions ==
+
{{Ebuild
 +
|Summary=Full-strength general purpose cryptography library (including SSL and TLS.)
 +
|CatPkg=dev-libs/openssl
 +
|Homepage=http://www.openssl.org
 +
}}
 +
{{PageNeedsUpdates}}
 +
OpenSSL is a cryptography package used with {{Package|net-misc/openssh}}, web servers, and more.  ftps, https, smtps, imaps, etc use SSL/TLS.  SSL/TLS is used to prevent man in the middle attacks on plain text streams of data.  As this is a security package it is frequently cycled from testing, & bug repairs.
 +
{{note|ssl is old, tls is new.  If you have the option to run tls, run tls rather than ssl}}
  
Ebuilds provide the ability to define various shell functions that are used to specify various actions relating to building and installing a source or binary package on a user's system. When an ebuild is emerged, the following functions are called, in order:
+
=== Installation ===
 +
{{console|body=###i## emerge dev-libs/openssl}}
  
* <tt>pkg_setup</tt> - variable intialization and sanity checks
+
=== Usage ===
* <tt>src_unpack</tt>
+
ssl uses several certificates with differing coverage, and use cases.  Certificates are obtained by 3rd party sites.  go-daddy, namecheap, and verisign are popular ssl certificate providers, though several others exist.
* <tt>src_prepare</tt>
+
* <tt>src_configure</tt>
+
* <tt>src_compile</tt>
+
* <tt>src_install</tt>
+
  
At this point, the files are ready to be "merged" into the live filesystem. This is when they are copied from the temporary build directory into <tt>/usr</tt>, etc. At this point, the following functions are executed:
+
The general overview is buy certificate, send private files, send extra information if required, get files back, insert files into openssl configs, change program configs ports to S version of the protocol, (as in for web port 80, now listens to port 443, and i address the server as https instead of http now.) reorder the cert next year.
  
* <tt>pkg_preinst</tt>
+
==== Self Signed Certificates ====
* (files are merged)
+
Free:
* <tt>pkg_postinst</tt>
+
Self signed certificates are free, self made, quick, easy to setup, and insecure.  They are great for lab experiments, and testing out new technologies that you're not familiar with.
  
=== src_* functions ===
+
==== Free Certificates ====
 +
Free:  (with restrictions)
 +
You can get free certificates from places like StartSSL.com.  The free certificates from them are not recommended if you are a company or doing E-Commerce as they only validate that you own the domain, not anything beyond that.  However, for personal sites, you can't beat the cost.
  
Ebuild functions starting with <tt>src_</tt> are all related to creating the ebuild or package from source code/artifacts, and are defined below:
+
==== Single Domain Certificates ====
 +
Generally $10/yr:
 +
Single domain certificates are probably the cheapest ssl certificate you will find on the web.  This certificate does not cover subdomains.
  
==== src_unpack ====
+
==== Unified Communications Certificate ====
 +
Generally $300/yr
 +
This certificate is meant for small businesses.  This type of certificate will generally cover 20-30 domains, sites, or subdomains.
  
<tt>src_unpack</tt> is intended to be used to unpack the source code/artifacts that will be used by the other <tt>src_*</tt> functions. With EAPI 1 and earlier, it is also used for patching/modifying the source artifacts to prepare them for building, but with EAPI 2 or later the <tt>src_prepare</tt> function should be used for this instead. When <tt>src_unpack</tt> starts, the current working directory is set to <tt>$WORKDIR</tt>, which is the directory within which all source code/artifacts should be expanded. Note that the variable <tt>$A</tt> is set to the names of all the unique source files/artifacts specified in <tt>SRC_URI</tt>, and they will all be available in <tt>$DISTDIR</tt> by the time <tt>src_unpack</tt> starts. Also note that if no <tt>src_unpack</tt> function is specified, <tt>ebuild.sh</tt> will execute the following function for <tt>src_unpack</tt> by default:
+
==== Wildcard Certificates ====
 +
Generally $300/yr
 +
Wildcard certificates are expensive, however they cover every subdomain name you add.
  
<pre>
+
==== Other Misc Certs ====
src_unpack() {
+
*domain validated SSL Certificates
  unpack ${A}
+
*organization validated SSL Certificates
}
+
*Extended Validation SSL Certificates
</pre>
+
  
==== src_prepare ====
+
=== Using SSL With Nginx or Tengine ===
 +
See this page:  [[HOWTO:WebServer_SSL]]
  
EAPI 2 and above support the <tt>src_prepare</tt> function, which is intended to be used for applying patches or making other modifications to the source code. When <tt>src_prepare</tt> starts, the current working directory is set to <tt>$S</tt>.
+
=== External Resources ===
 
+
https://wiki.archlinux.org/index.php/OpenSSL
==== src_configure ====
+
{{EbuildFooter}}
 
+
EAPI 2 and above support the <tt>src_configure</tt> function, which is used to configure the source code prior to compilation. With EAPI 2 and above, the following default <tt>src_configure</tt> is defined if none is specified:
+
 
+
<pre>
+
src_configure() {
+
if [[ -x ${ECONF_SOURCE:-.}/configure ]] ; then
+
econf
+
fi
+
}
+
</pre>
+
 
+
==== src_compile ====
+
 
+
This function defines the steps necessary to compile source code. With EAPI 1 and earlier, this function is also used to configure the source code prior to compilation. However, starting with EAPI 2, the <tt>src_configure</tt> function must be used for configuration steps instead of bundling them inside <tt>src_compile</tt>. In addition, starting with EAPI 2, there is now a default <tt>src_compile</tt> function that will be executed if none is defined in the ebuild:
+
 
+
<pre>
+
src_compile() {
+
if [ -f Makefile ] || [ -f GNUmakefile ] || [ -f makefile ] ; then
+
emake || die "emake failed"
+
fi
+
}
+
</pre>
+
 
+
==== src_test ====
+
 
+
<tt>src_test</tt> is an interesting function - by default, an end-user's Portage does not have tests enabled. But if a user has <tt>test</tt> in <tt>FEATURES</tt>, or <tt>EBUILD_FORCE_TEST</tt> is defined, then <tt>ebuild.sh</tt> will attempt to run a test suite for this ebuild, by executing <tt>make check</tt> or <tt>make test</tt> if these targets are defined in the Makefile; otherwise, no tests will execute. If your Makefile supports <tt>make check</tt> or <tt>make test</tt> but the test suite is broken, then specify <tt>RESTRICT="test"</tt> in your ebuild to disable the test suite.
+
 
+
==== src_install ====
+
 
+
<tt>src_install</tt> is used by the ebuild writer to install all to-be-installed files to the <tt>$D</tt> directory, which can be treated like an empty root filesystem, in that <tt>${D}/usr</tt> is the equivalent of the <tt>/usr</tt> directory, etc. When <tt>src_install</tt> runs, the Portage sandbox will be enabled, which will prevent any processes from creating or modifying files outside of the <tt>${D}</tt> filesystem tree, and a sandbox violation will occur (resulting in the termination of the ebuild) if any such sandbox violation should occur. Once <tt>src_install</tt> has perfomed all necessary steps to install all to-be-installed files to <tt>$D</tt>, Portage will take care of merging these files to the filesystem specified by the <tt>$ROOT</tt> environment variable, which defaults to <tt>/</tt> if not set. When Portage merges these files, it will also record information about the installed package to <tt>/var/db/pkg/(cat)/$P</tt>. Typically, a <tt>src_install</tt> function such as this is sufficient for ensuring that all to-be-installed files are installed to <tt>$D</tt>:
+
 
+
<pre>
+
src_install() {
+
  make DESTDIR="$D" install
+
}
+
</pre>
+
 
+
=== pkg_* functions ===
+
 
+
An ebuild's functions starting with <tt>pkg_*</tt> take a wider view of the package lifecycle, and may be executed very early or very late in the build or package installation process. They are also all executed even if installing a Portage binary package, so are the intended place for defining any global configuration changes that are also required during binary package installation, such as user and group creation. When these functions are executed, the <tt>$ROOT</tt> variable will be defined to point to the target root filesystem to which the package is to be (or has been) installed. All logic inside <tt>pkg_*</tt> functions must function properly even if <tt>$ROOT</tt> is something other than <tt>/</tt>.
+
 
+
==== pkg_setup ====
+
 
+
The <tt>pkg_setup</tt> function is unusual in that it runs prior to any <tt>src_*</tt> function, and also runs prior to any other <tt>pkg_*</tt> function that runs when a binary package is installed, so it provides a useful place for the ebuild writer to perform any sanity checks, global configuration changes to the system (such as user/group creation) or set any internal global variables that are used by the rest of the ebuild. Using this function for defining global variables that are needed in multiple other functions is a useful way of avoiding duplicate code. You should also look to <tt>pkg_setup</tt> as the ideal place to put any logic that would otherwise linger in the main body of the ebuild, which should be avoided at all costs as it will slow down dependency calculation by Portage. Also remember that Portage can build binary packages, and this function is a good place to execute any steps that are required to run both prior to building an ebuild, and prior to installing a package. Also consider using <tt>pkg_preinst</tt> and <tt>pkg_postinst</tt> for this purpose.
+
 
+
==== pkg_pretend ====
+
 
+
The <tt>pkg_pretend</tt> function was added with EAPI 3, and it's the opinion of Daniel Robbins that the use of this function should be avoided. This function is especially unusual in that it is intended to be run ''during dependency calculation'', and is intended to provide a polite mechanism to inform the user that a particular ebuild will fail due to a known incompatibility, typically a kernel incompatibility. That way, the user can know during <tt>emerge --pretend</tt> that a merge will fail. While this is useful, extending the dependency engine using <tt>bash</tt> is a very low-performance means to perform these tests. In addition, some of these problems may be resolved by to-be-merged dependencies. If extra pre-compile checks need to be performed, place them in {{c|pre_src_compile}} so that they run immediately before the compile process.
+
 
+
To use {{c|pkg_pretend}} properly, understand that it runs at dep calculation time, and may be prior to the ebuild building from source, installing from a binary package, or just building a binary package and not installing. To determine what exactly will be happening, examine the {{c|MERGE_TYPE}} variable. It can have one of the following possible values:
+
 
+
;{{c|binary}}: the ebuild is installing from binary package.
+
;{{c|source}}: the ebuild is installing from source.
+
;{{c|buildonly}}: the ebuild is building a package, but not installing.
+
 
+
Based on the setting of {{c|MERGE_TYPE}}. perform the appropriate checks.
+
 
+
==== pkg_preinst ====
+
 
+
The <tt>pkg_preinst</tt> function is called by Portage, prior to merging the to-be-installed files to the target filesystem specified by <tt>$ROOT</tt> environment variable (which defaults to <tt>/</tt>.) Keep in mind that these to-be-installed files were either just compiled and installed to <tt>$D</tt> by <tt>src_install</tt>, or they were just extracted from a <tt>.tbz2</tt> binary package. The <tt>pkg_preinst</tt> function provides an ideal place to perform any "just before install" actions, such as user and group creation or other necessary steps to ensure that the package merges successfully. It also provides a potential place to perform any sanity checks related to installing the package to the target filesystem. If any sanity checks fail, calling <tt>die</tt> from this function will cause the package to not be installed to the target filesystem.
+
 
+
==== pkg_postinst ====
+
 
+
The <tt>pkg_postinst</tt> function is called by Portage prior to the package being installed to the target filesystem specified by <tt>$ROOT</tt>. This is a good place to perform any post-install configuration actions as well as print any informational messages for the user's benefit related to the package that was just installed.
+
 
+
==== pkg_prerm ====
+
 
+
The <tt>pkg_prerm</tt> function is called by Portage before an ebuild is removed from the filesystem.
+
 
+
==== pkg_postrm ====
+
 
+
The <tt>pkg_postrm</tt> function is called by Portage after an ebuild is removed from the filesystem.
+
 
+
==== pkg_config ====
+
 
+
The <tt>pkg_config</tt> function is called by Portage when the user calls <tt>emerge --config</tt> for the ebuild. The current directory will be set to the current directory of the shell from where <tt>emerge --config</tt> is run.
+
=== Skipping over a function ===
+
To skip over a function, create a function that does not do anything. The recommended way is to use bash no-op command:
+
<syntaxhighlight lang="bash">
+
# Skip src_prepare.
+
src_prepare() { :; }
+
</syntaxhighlight>
+
 
+
=== Extra pre_ and post_ functions ===
+
 
+
Modern versions of Portage also support functions identical to the above functions but with '''pre_''' and '''post_''' at the beginning of the function name. For example, <tt>post_src_configure</tt> will be executed after <tt>src_configure</tt> and before <tt>src_compile</tt>. These additional functions are supported by all EAPIs, provided that the parent function is supported by the EAPI in use. The initial current working directory should be identical to the initial current working directory of the parent function.
+
 
+
=== Helper Functions ===
+
 
+
==== econf() ====
+
 
+
econf() is part of ebuild.sh and is intended to be a wrapper to the <tt>configure</tt> command that is typically used in the <tt>src_configure()</tt> stage. It has a number of behaviors that are important for ebuild writers to understand. Once you understand what <tt>econf()</tt> does, you are free to use it in your ebuilds. Note that the behavior of <tt>econf()</tt> is generally safe for most autoconf-based source archives, but in some cases it may be necessary to avoid using <tt>econf()</tt> to avoid some of its default behaviors.
+
 
+
===== Automatically set prefix =====
+
 
+
<tt>--prefix=/usr</tt> will be passed to <tt>configure</tt> automatically, unless a <tt>--prefix</tt> argument was specified to <tt>econf()</tt>, in which case, that <tt>--prefix</tt> setting will be used instead.
+
 
+
===== Automatically set libdir =====
+
 
+
If the <tt>ABI</tt> variable is set (typically done in the profile), then <tt>econf()</tt> will look for a variable named <tt>LIBDIR_$ABI</tt> (ie. <tt>LIBDIR_amd64</tt>). If this variable is set, the value of this variable will be used to set <tt>libdir</tt> to the value of <tt>{prefix}/LIBDIR_$ABI</tt>.
+
 
+
===== Automatically set CHOST and CTARGET =====
+
 
+
The <tt>--host=$CHOST</tt> argument will be passed to <tt>configure</tt>. <tt>$CHOST</tt> is defined in the system profile. In addition, the <tt>--target=$CTARGET</tt> argument will be passed to <tt>configure</tt> if <tt>$CTARGET</tt> is defined. This is not normally required but is done to make Portage more capable of cross-compiling the ebuild. However, this functionality is not a guarantee that your ebuild will successfully cross-compile, as other changes to the ebuild may be necessary.
+
 
+
===== Disable Dependency Tracking (EAPI 4) =====
+
 
+
In EAPI 4, the <tt>--disable-dependency-tracking</tt> argument will be passed to <tt>configure</tt> in order to optimize the performance of the configuration process. This option should have no impact other than on the performance of the <tt>configure</tt> script.
+
 
+
===== List of arguments =====
+
 
+
The following arguments are passed to <tt>configure</tt> and are all overrideable by the user by passing similar options to <tt>econf()</tt>:
+
 
+
* <tt>--prefix=/usr</tt>
+
* <tt>--libdir={prefix}/LIBDIR_$ABI</tt>
+
* <tt>--host=${CHOST}</tt>
+
* if CTARGET is defined, then <tt>--target=${CTARGET}</tt>
+
* <tt>--mandir=/usr/share/man</tt>
+
* <tt>--infodir=/usr/share/info</tt>
+
* <tt>--datadir=/usr/share</tt>
+
* <tt>--sysconfdir=/etc</tt>
+
* <tt>--localstatedir=/var/lib</tt>
+
* if EAPI 4+, then <tt>--disable-dependency-tracking</tt>
+
 
+
[[Category:Internals]]
+
[[Category:Portage]]
+
[[Category:Official Documentation]]
+

Latest revision as of 05:58, July 9, 2015

dev-libs/openssl


Source Repository:Repository:Funtoo Overlay

http://www.openssl.org

Summary: Full-strength general purpose cryptography library (including SSL and TLS.)

Use Flags

bindist
Disable EC/RC5 algorithms (as they seem to be patented)
ec_nistp_64_gcc_128
Enable 64-bit optimized implementations of elliptic curves NIST-P224, NIST-P256 and NIST-P521
rfc3779
Enable support for RFC 3779 (X.509 Extensions for IP Addresses and AS Identifiers)

News

Drobbins

Perl Updates

Gentoo has bumped perl from 5.20 to 5.22. Be sure to run perl-cleaner --all after the upgrade.
2015-07-25 by Drobbins
Drobbins

ARM Rebuild

ARM systems will use new stage3's that are not compatible with earlier versions.
2015-06-27 by Drobbins
Drobbins

ABI X86 64 and 32

Funtoo Linux has new 32-bit compatibility libraries inherited from Gentoo. Learn about them here.
2015-06-18 by Drobbins
More...

OpenSSL

Tip

We welcome improvements to this page. To edit this page, Create a Funtoo account. Then log in and then click here to edit this page. See our editing guidelines to becoming a wiki-editing pro.

OpenSSL is a cryptography package used with Package:OpenSSH, web servers, and more. ftps, https, smtps, imaps, etc use SSL/TLS. SSL/TLS is used to prevent man in the middle attacks on plain text streams of data. As this is a security package it is frequently cycled from testing, & bug repairs.

Note

ssl is old, tls is new. If you have the option to run tls, run tls rather than ssl

Installation

# emerge dev-libs/openssl


Usage

ssl uses several certificates with differing coverage, and use cases. Certificates are obtained by 3rd party sites. go-daddy, namecheap, and verisign are popular ssl certificate providers, though several others exist.

The general overview is buy certificate, send private files, send extra information if required, get files back, insert files into openssl configs, change program configs ports to S version of the protocol, (as in for web port 80, now listens to port 443, and i address the server as https instead of http now.) reorder the cert next year.

Self Signed Certificates

Free: Self signed certificates are free, self made, quick, easy to setup, and insecure. They are great for lab experiments, and testing out new technologies that you're not familiar with.

Free Certificates

Free: (with restrictions) You can get free certificates from places like StartSSL.com. The free certificates from them are not recommended if you are a company or doing E-Commerce as they only validate that you own the domain, not anything beyond that. However, for personal sites, you can't beat the cost.

Single Domain Certificates

Generally $10/yr: Single domain certificates are probably the cheapest ssl certificate you will find on the web. This certificate does not cover subdomains.

Unified Communications Certificate

Generally $300/yr This certificate is meant for small businesses. This type of certificate will generally cover 20-30 domains, sites, or subdomains.

Wildcard Certificates

Generally $300/yr Wildcard certificates are expensive, however they cover every subdomain name you add.

Other Misc Certs

  • domain validated SSL Certificates
  • organization validated SSL Certificates
  • Extended Validation SSL Certificates

Using SSL With Nginx or Tengine

See this page: HOWTO:WebServer_SSL

External Resources

https://wiki.archlinux.org/index.php/OpenSSL