Difference between pages "Java Configuration Design Update" and "Package:OpenSSL"

(Difference between pages)
 
 
Line 1: Line 1:
This page describes a potential update to the Java support code in Gentoo and Funtoo Linux, with the intention of simplifying <tt>java-config</tt> code and also making it more correct and better integrated with Portage itself. The proposal intends to address deficiencies in the current design of <tt>java-utils-2.eclass</tt> while maintaining its useful features and avoiding a full rewrite. Rather than replace the current system with more code, the goal is to simplify the existing code while retaining functionality, while allowing a graceful migration of advanced functionality inside Portage itself.
+
{{Ebuild
 
+
|Summary=Full-strength general purpose cryptography library (including SSL and TLS.)
{{fancytip|Please post comments on the [[{{TALKPAGENAME}}|Discussion]] page.}}
+
|CatPkg=dev-libs/openssl
 
+
|Homepage=http://www.openssl.org
== Design Challenges ==
+
 
+
The current Java eclasses have some very interesting and powerful features, yet are lacking in some areas.
+
 
+
=== Dependency Handling ===
+
 
+
Currently, <tt>java-utils-2.eclass</tt> uses <tt>depend-java-query</tt> to automatically select the most optimal Java VM for building. This is a sophisticated feature that is intended to be 'smart', yet it has some flaws. These flaws are fixable:
+
 
+
* While JVM auto-selection is smart, it is not always correct -- it doesn't use Portage's API, but instead uses regexes to parse the currently-executing ebuild's <tt>DEPEND</tt> string.
+
 
+
* Related to the regex issue, the code in <tt>depend-java-query</tt> is complex as it tries to duplicate some functionality that could be handled better by Portage's API.
+
 
+
This proposal provides a mechanism for the Portage API to be used to always generate a completely correct result. This may seem like a minimal optimization since the existing code is correct ''most'' of the time. But it is duplicative, in that it does a rough approximation of what the Portage API could do absolutely correctly. So there is no good reason to keep it -- less code means more maintainability.
+
 
+
{{fancyimportant|Moreover, there is even a better reason for doing things the right way -- eclasses should as much as possible be able to behave as "first-class citizens" in the world of Portage. This is an important architectural goal, and there are severe costs for not pursuing it, namely having every eclass under the sun re-implement various parts of Portage, albeit poorly, creating much uncessary code and frustration!}}
+
 
+
=== Atoms ===
+
 
+
Currently, <tt>eselect java-vm</tt> and <tt>java-config</tt> have their own "atoms" that they use to identify Java virtual machines, which seems to be <tt>${PN}-${SLOT}</tt>. Yet Portage already has atoms, and we should try to allow support for them over time. This proposal does require there to be some "link" between the existing JVM atom and the Portage atom. This link currently does not exist.
+
 
+
== Proposal ==
+
 
+
=== java-config Settings ===
+
 
+
This proposal involves a minor upgrade to the java-config settings for a JVM -- adding a <tt>PORTAGE_ATOM</tt> setting to the file, which allows the <tt>java-config</tt> atom to be linked to the Portage atom:
+
 
+
{{file|name=/usr/share/java-config-2/vm/oracle-jdk-bin-1.7|desc=Java-config settings|lang=bash|body=
+
# Copyright 1999-2011 Gentoo Foundation
+
# Distributed under the terms of the GNU General Public License v2
+
# $Header: /var/cvsroot/gentoo-x86/dev-java/oracle-jdk-bin/files/oracle-jdk-bin-1.7.env,v 1.2 2011/11/17 22:49:56 caster Exp $
+
 
+
VERSION="Oracle JDK 1.7.0.60"
+
JAVA_HOME="/opt/oracle-jdk-bin-1.7.0.60"
+
JDK_HOME="/opt/oracle-jdk-bin-1.7.0.60"
+
JAVAC=${JAVA_HOME}/bin/javac
+
PATH="${JAVA_HOME}/bin:${JAVA_HOME}/jre/bin"
+
ROOTPATH="${JAVA_HOME}/bin:${JAVA_HOME}/jre/bin"
+
LDPATH="${JAVA_HOME}/jre/lib/amd64/:${JAVA_HOME}/jre/lib/amd64/xawt/:${JAVA_HOME}/jre/lib/amd64/server/"
+
MANPATH="/opt/oracle-jdk-bin-1.7.0.60/man"
+
PROVIDES_TYPE="JDK JRE"
+
PROVIDES_VERSION="1.7"
+
BOOTCLASSPATH="${JAVA_HOME}/jre/lib/resources.jar:${JAVA_HOME}/jre/lib/rt.jar:${JAVA_HOME}/jre/lib/sunrsasign.jar:${JAVA_HOME}/jre/lib/jsse.jar:${JAVA_HOME}/jre/lib/jce.jar:${JAVA_HOME}/jre/lib/charsets.jar:${JAVA_HOME}/jre/classes"
+
GENERATION="2"
+
ENV_VARS="JAVA_HOME JDK_HOME JAVAC PATH ROOTPATH LDPATH MANPATH"
+
VMHANDLE="oracle-jdk-bin-1.7"
+
BUILD_ONLY="FALSE"
+
PORTAGE_ATOM="dev-java/oracle-jdk-bin-1.7.0.60"
+
 
}}
 
}}
 +
{{PageNeedsUpdates}}
 +
OpenSSL is a cryptography package used with {{Package|net-misc/openssh}}, web servers, and more.  ftps, https, smtps, imaps, etc use SSL/TLS.  SSL/TLS is used to prevent man in the middle attacks on plain text streams of data.  As this is a security package it is frequently cycled from testing, & bug repairs.
 +
{{note|ssl is old, tls is new.  If you have the option to run tls, run tls rather than ssl}}
  
With this very minor and easy-to-implement change, new possibilities are available -- namely, for <tt>java-config</tt> code to tap into the Portage API and leverage its advanced dependency handling functionality.
+
=== Installation ===
 
+
{{console|body=###i## emerge dev-libs/openssl}}
<div style="float: right; width: 40%; margin-left: 1em; margin-top: 1em; margin-bottom: 1em; background-color: #f8f8f8; padding: 0.5em; border-radius: 8px;">
+
 
+
=== Provides ===
+
 
+
{{fancynote|This section is not a requirement for the implementation of this proposal, but a suggestion for future Portage development.}}
+
 
+
Currently, the functionality that is provided by each JVM is stored in the <tt>java-config</tt> file shown above, namely in the <tt>PROVIDES_TYPE</tt> and <tt>PROVIDES_VERSION</tt> variables. This works for us, though it is unfortunate that the (in my opinion) not completely thought-out [http://wiki.gentoo.org/wiki/GLEP:37 GLEP 37] was implemented, which deprecated the <tt>PROVIDES</tt> variable in Portage. This is a useful variable because it gave us a "link" from the installed package to the virtual it provided. No such link currently exists, which is a reduction in useful functionality.
+
 
+
It is recommended that <tt>PROVIDES</tt> is un-deprecated in Portage, and used by ebuilds solely for recording what virtuals are provided by the ebuild, so that they can be queried later once the package is installed. This would allow <tt>PROVIDES_TYPE</tt> and <tt>PROVIDES_VERSION</tt> -- functionality duplicated by the Java tools -- to be removed, further reducing the complexity of the Java tools codebase.
+
</div>
+
 
+
=== java-config Dependency Handling ===
+
 
+
With these changes, <tt>java-config</tt> and <tt>depend-java-query</tt> to tap directly into the power of Portage dependency handling. Let's see how.
+
 
+
=== Query: List installed VMs ===
+
 
+
To list installed VMs, <tt>java-config</tt> could look in <tt>/usr/share/java-config-2/vm/</tt> to get a list of all installed Java VMs. However, thanks to the <tt>PORTAGE_ATOM</tt> variable, it can then compile a list of corresponding package atoms in <tt>/var/db/pkg</tt>.
+
 
+
=== Query: Is a Suitable or Best VM Selected? ===
+
  
Currently, the <tt>java-utils-2.eclass</tt> attempts to magically select the proper VM for building based on the contents of the <tt>DEPEND</tt> string. This is how this functionality would be implemented correctly, using the Portage API rather than custom code.
+
=== Usage ===
 +
ssl uses several certificates with differing coverage, and use cases. Certificates are obtained by 3rd party sites. go-daddy, namecheap, and verisign are popular ssl certificate providers, though several others exist.
  
To perform this query correctly and efficiently, <tt>depend-java-query</tt> can compile a list of Portage atoms for all installed Java VMs, along with what virtual they provide using <tt>PORTAGE_ATOM</tt>, <tt>PROVIDES_TYPE</tt> and <tt>PROVIDES_VERSION</tt>. Then, the <tt>DEPEND</tt> handed to it can be correctly evaluated using Portage functions. This is how the Portage side of the algorithm would work:
+
The general overview is buy certificate, send private files, send extra information if required, get files back, insert files into openssl configs, change program configs ports to S version of the protocol, (as in for web port 80, now listens to port 443, and i address the server as https instead of http now.) reorder the cert next year.
  
# Pre-process <tt>DEPEND</tt> string:
+
==== Self Signed Certificates ====
## Remove all components that are not related to <tt>virtual/jdk</tt> and <tt>virtual/jre</tt>.
+
Free:
## Evaluate <tt>DEPEND</tt> string using currently-active USE settings to remove all conditionals.
+
Self signed certificates are free, self made, quick, easy to setup, and insecure. They are great for lab experiments, and testing out new technologies that you're not familiar with.
# Create a <tt>fakedbapi</tt> and <tt>cpv_inject()</tt> the current system VM Portage atom into it.
+
# Evaluate the pre-processed <tt>DEPEND</tt> string and see if the dependencies are satisfied.
+
# If so, a suitable VM is selected.
+
  
To find the "best match" VM, a similar process would be followed. Instead of <tt>cpv_inject</tt>ing the current system VM, ''all'' installed VMs would be injected and a best match would be found.
+
==== Free Certificates ====
 +
Free:  (with restrictions)
 +
You can get free certificates from places like StartSSL.com.  The free certificates from them are not recommended if you are a company or doing E-Commerce as they only validate that you own the domain, not anything beyond that. However, for personal sites, you can't beat the cost.
  
== Future Directions ==
+
==== Single Domain Certificates ====
 +
Generally $10/yr:
 +
Single domain certificates are probably the cheapest ssl certificate you will find on the web.  This certificate does not cover subdomains.
  
=== Reusing Code, Merging into Portage ===
+
==== Unified Communications Certificate ====
 +
Generally $300/yr
 +
This certificate is meant for small businesses.  This type of certificate will generally cover 20-30 domains, sites, or subdomains.
  
Since this functionality could use useful to other eclasses, this could be used as a test for a more generic helper function that could be integrated into Portage. This would allow other eclasses to implement similar functionality without having to have their own custom helper applications.
+
==== Wildcard Certificates ====
 +
Generally $300/yr
 +
Wildcard certificates are expensive, however they cover every subdomain name you add.
  
The <tt>java-config</tt> settings file could be merged into <tt>/var/db/pkg</tt> and a simple API could be added to <tt>vartree</tt> and <tt>dblink</tt> to provide API access to it. This would provide a toolkit for eclasses for storing extra configuration settings with installed ebuilds, which could be useful for a variety of purposes.
+
==== Other Misc Certs ====
 +
*domain validated SSL Certificates
 +
*organization validated SSL Certificates
 +
*Extended Validation SSL Certificates
  
All these goals support the idea of code re-use and maintainability, and addressing the problem at the correct architectural level.
+
=== Using SSL With Nginx or Tengine ===
 +
See this page:  [[HOWTO:WebServer_SSL]]
  
[[Category:Portage]]
+
=== External Resources ===
[[Category:FLOP]]
+
https://wiki.archlinux.org/index.php/OpenSSL
[[Category:Java]]
+
{{EbuildFooter}}
__NOEDITSECTION__
+

Latest revision as of 05:58, July 9, 2015

dev-libs/openssl


Source Repository:Repository:Funtoo Overlay

http://www.openssl.org

Summary: Full-strength general purpose cryptography library (including SSL and TLS.)

Use Flags

bindist
Disable EC/RC5 algorithms (as they seem to be patented)
ec_nistp_64_gcc_128
Enable 64-bit optimized implementations of elliptic curves NIST-P224, NIST-P256 and NIST-P521
rfc3779
Enable support for RFC 3779 (X.509 Extensions for IP Addresses and AS Identifiers)

News

Drobbins

IP Space Migration Continues

All Funtoo user containers in the 8.28 IP space will be moving into our new IP space (172.97) over the next few days. If you have DNS set up -- be sure to watch your container and update to the new IP! container.host.funtoo.org DNS will be updated after the move.
2015-08-27 by Drobbins
Drobbins

Funtoo Hosting IP Move

Funtoo user containers with IPs in the 72.18.x.x range will be gradually migrating to new IP addresses this week. If you have DNS entries for your containers, please be aware that your DNS will need to be updated.
2015-08-11 by Drobbins
Drobbins

New ARM Stages

New ARM Stages, built with a new toolchain, are now hitting mirrors. Existing ARM users should re-install using these stages (dated Aug 3, 2015 or later,) rather than upgrade using emerge.
2015-08-06 by Drobbins
More...

OpenSSL

Tip

We welcome improvements to this page. To edit this page, Create a Funtoo account. Then log in and then click here to edit this page. See our editing guidelines to becoming a wiki-editing pro.

OpenSSL is a cryptography package used with Package:OpenSSH, web servers, and more. ftps, https, smtps, imaps, etc use SSL/TLS. SSL/TLS is used to prevent man in the middle attacks on plain text streams of data. As this is a security package it is frequently cycled from testing, & bug repairs.

Note

ssl is old, tls is new. If you have the option to run tls, run tls rather than ssl

Installation

# emerge dev-libs/openssl


Usage

ssl uses several certificates with differing coverage, and use cases. Certificates are obtained by 3rd party sites. go-daddy, namecheap, and verisign are popular ssl certificate providers, though several others exist.

The general overview is buy certificate, send private files, send extra information if required, get files back, insert files into openssl configs, change program configs ports to S version of the protocol, (as in for web port 80, now listens to port 443, and i address the server as https instead of http now.) reorder the cert next year.

Self Signed Certificates

Free: Self signed certificates are free, self made, quick, easy to setup, and insecure. They are great for lab experiments, and testing out new technologies that you're not familiar with.

Free Certificates

Free: (with restrictions) You can get free certificates from places like StartSSL.com. The free certificates from them are not recommended if you are a company or doing E-Commerce as they only validate that you own the domain, not anything beyond that. However, for personal sites, you can't beat the cost.

Single Domain Certificates

Generally $10/yr: Single domain certificates are probably the cheapest ssl certificate you will find on the web. This certificate does not cover subdomains.

Unified Communications Certificate

Generally $300/yr This certificate is meant for small businesses. This type of certificate will generally cover 20-30 domains, sites, or subdomains.

Wildcard Certificates

Generally $300/yr Wildcard certificates are expensive, however they cover every subdomain name you add.

Other Misc Certs

  • domain validated SSL Certificates
  • organization validated SSL Certificates
  • Extended Validation SSL Certificates

Using SSL With Nginx or Tengine

See this page: HOWTO:WebServer_SSL

External Resources

https://wiki.archlinux.org/index.php/OpenSSL