Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 569818 - media-video/ffmpeg[libressl,-openssl] is built without ssl support
Summary: media-video/ffmpeg[libressl,-openssl] is built without ssl support
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo LibreSSL
URL:
Whiteboard:
Keywords:
: 601584 607412 (view as bug list)
Depends on:
Blocks:
 
Reported: 2015-12-26 16:04 UTC by om3i
Modified: 2019-03-05 20:15 UTC (History)
13 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
ffmpeg-libressl.patch (ffmpeg-libressl.patch,1.21 KB, patch)
2016-02-16 20:39 UTC, Joe Kappus
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description om3i 2015-12-26 16:04:25 UTC
If USE libressl is set and USE openssl is unset media-video/ffmpeg is built without ssl support.

Reproducible: Always
Comment 1 Alexis Ballier gentoo-dev 2016-02-15 12:22:43 UTC
commit 06114cd1a0a4672a7cc3b5efdd1ea45430dc655a
Author: Alexis Ballier <aballier@gentoo.org>
Date:   Mon Feb 15 13:22:12 2016 +0100

    media-video/ffmpeg: revert libressl changes in live ebuild.
    
    Those do not work properly, bug #569818 and there is no activity on said bug.


feel free to propose a proper patch
Comment 2 Joe Kappus 2016-02-15 20:06:26 UTC
(In reply to Alexis Ballier from comment #1)
> commit 06114cd1a0a4672a7cc3b5efdd1ea45430dc655a
> Author: Alexis Ballier <aballier@gentoo.org>
> Date:   Mon Feb 15 13:22:12 2016 +0100
> 
>     media-video/ffmpeg: revert libressl changes in live ebuild.
>     
>     Those do not work properly, bug #569818 and there is no activity on said
> bug.
> 
> 
> feel free to propose a proper patch

How about you revert your change as you now created a bigger bug?  This just creates a bigger problem for people who have libressl and openssl useflags as the migration guide suggests, now it breaks my deptree and I have to drop out ssl support or patch the ebuild.

While you're at it familiarize yourself with the libressl transition plan: https://github.com/gentoo/libressl/wiki/Transition-plan
Comment 3 Joe Kappus 2016-02-15 20:11:28 UTC
For the record, it would have been sufficient to just change the useflag from openssl to ssl.
Comment 4 Alexis Ballier gentoo-dev 2016-02-15 22:26:00 UTC
(In reply to Joe Kappus from comment #2)
> How about you revert your change as you now created a bigger bug?  This just
> creates a bigger problem for people who have libressl and openssl useflags
> as the migration guide suggests, now it breaks my deptree and I have to drop
> out ssl support or patch the ebuild.

So much drama. You already did not have ssl support, since I assume you'd not set USE=openssl, or maybe had USE="gcrypt gnutls" and it didn't make a difference. Also, you might not have noticed before writing this rant, but versions where this has been reverted are masked and you have bigger issues than opting out ssl support if you use them...

> While you're at it familiarize yourself with the libressl transition plan:
> https://github.com/gentoo/libressl/wiki/Transition-plan

This plan does not involve pushing broken patches to the tree I'm afraid.
Since you seem to know much better, the version being masked leaves you time to submit a proper patch.

(In reply to Joe Kappus from comment #3)
> For the record, it would have been sufficient to just change the useflag
> from openssl to ssl.

Not really. "ssl" is enabled by default and this would mean that we would be shipping a ffmpeg, and all the gpl programs linking to it, that are not binary redistributable by default, which is definitely a no-go.
Comment 5 Joe Kappus 2016-02-16 05:45:56 UTC
(In reply to Alexis Ballier from comment #4)
> (In reply to Joe Kappus from comment #2)
> > How about you revert your change as you now created a bigger bug?  This just
> > creates a bigger problem for people who have libressl and openssl useflags
> > as the migration guide suggests, now it breaks my deptree and I have to drop
> > out ssl support or patch the ebuild.
> 
> So much drama. You already did not have ssl support, since I assume you'd
> not set USE=openssl, or maybe had USE="gcrypt gnutls" and it didn't make a
> difference. Also, you might not have noticed before writing this rant, but
> versions where this has been reverted are masked and you have bigger issues
> than opting out ssl support if you use them...
> 

Your assumption was incorrect.  I did have both libressl and openssl set for the ebuild.

Don't break things in portage to spur activity on a bug. This is not acceptable behavior.  I came here because this broke and you advertised this report in the changelog. 

> > While you're at it familiarize yourself with the libressl transition plan:
> > https://github.com/gentoo/libressl/wiki/Transition-plan
> 
> This plan does not involve pushing broken patches to the tree I'm afraid.
> Since you seem to know much better, the version being masked leaves you time
> to submit a proper patch.
> 

This plan does involve making the libressl USE flag not collide with the openssl USE flag. Try setting a useflag dependency on openssl if the libressl useflag is set then. Sprinkle some ewarn magic in if you want your users to understand the logic. No patches breaking anything needed.

Your other option is to do a new broken out SSL useflag section for just ffmpeg.  net-misc/curl did it with CURL_SSL, but I think that's probably overkill here.

> (In reply to Joe Kappus from comment #3)
> > For the record, it would have been sufficient to just change the useflag
> > from openssl to ssl.
> 
> Not really. "ssl" is enabled by default and this would mean that we would be
> shipping a ffmpeg, and all the gpl programs linking to it, that are not
> binary redistributable by default, which is definitely a no-go.

Fair enough.  I'll admit I didn't consider the gcrypt and gnutls flags.
Comment 6 Alexis Ballier gentoo-dev 2016-02-16 09:30:48 UTC
(In reply to Joe Kappus from comment #5)

Ranting on a bug usually does not get things fixed quicker, rather the contrary. On the other hand, submitting patches does.


I do not have a clear idea on how this should be done, but unless libressl supporters clearly document libressl support is to be supported only with USE="openssl libressl", handle relevant bugs in a timely manner and do not disappear in the middle of the transition, what was done is definitely not the proper way.
Comment 7 Joe Kappus 2016-02-16 20:36:44 UTC
(In reply to Alexis Ballier from comment #6)
> (In reply to Joe Kappus from comment #5)
> 
> Ranting on a bug usually does not get things fixed quicker, rather the
> contrary. On the other hand, submitting patches does.
> 

Submitting a patch only to get it denied by you is not a logical application of my time.  At this point this bug has only served in documenting your bad behavior.  I'll do a patch on the live ebuild that works around the issue minimally in my next comment though.

> 
> I do not have a clear idea on how this should be done, but unless libressl
> supporters clearly document libressl support is to be supported only with
> USE="openssl libressl", handle relevant bugs in a timely manner and do not
> disappear in the middle of the transition, what was done is definitely not
> the proper way.

Admitting you're out of your depth here doesn't help your argument. I've proposed 3 distinct solutions of which you only found the first to be invalid.  If you don't like the transition plan take it out on hasufell and friends, not on the userbase.  Thanks.
Comment 8 Joe Kappus 2016-02-16 20:39:22 UTC
Created attachment 425668 [details, diff]
ffmpeg-libressl.patch

This adds a REQUIRED_USE check for openssl useflag if libressl useflag is added.  It technically fixes the original bug.
Comment 9 Alexis Ballier gentoo-dev 2016-02-16 20:58:48 UTC
(In reply to Joe Kappus from comment #8)
> Created attachment 425668 [details, diff] [details, diff]
> ffmpeg-libressl.patch
> 
> This adds a REQUIRED_USE check for openssl useflag if libressl useflag is
> added.  It technically fixes the original bug.

It is more correct and acceptable, thanks.

Do you plan to document USE="-openssl libressl" is not meant to be used? (e.g. on the wiki or the migration plan)
If not, users will get an error message that is usually hard to understand. Or worse: some packages *might* use the opposite logic. I think this needs coordination from the "libressl team" to unify ebuild behavior on this side.
This is basically why I didn't go the lazy way to simply add the REQUIRED_USE line.

(In reply to Joe Kappus from comment #7)
> Submitting a patch only to get it denied by you is not a logical application
> of my time.  At this point this bug has only served in documenting your bad
> behavior.

Don't believe your crystal ball so much :)

> If you don't like the transition plan take it out on hasufell and
> friends, not on the userbase.  Thanks.

Well, look at the assignee of the bug.
Comment 10 Joe Kappus 2016-02-16 21:51:36 UTC
(In reply to Alexis Ballier from comment #9)
> (In reply to Joe Kappus from comment #8)
> > Created attachment 425668 [details, diff] [details, diff] [details, diff]
> > ffmpeg-libressl.patch
> > 
> > This adds a REQUIRED_USE check for openssl useflag if libressl useflag is
> > added.  It technically fixes the original bug.
> 
> It is more correct and acceptable, thanks.
> 
> Do you plan to document USE="-openssl libressl" is not meant to be used?
> (e.g. on the wiki or the migration plan)
> If not, users will get an error message that is usually hard to understand.
> Or worse: some packages *might* use the opposite logic. I think this needs
> coordination from the "libressl team" to unify ebuild behavior on this side.
> This is basically why I didn't go the lazy way to simply add the
> REQUIRED_USE line.
> 

Ideally everything could be done the same way.  But some packages are special case.  I mentioned net-misc/curl earlier because this falls into a documented special case category with adequate documentation of a broken out CURL_SSL useflag system.  There's not a REQUIRED_USE_WARN system that I'm aware of, so I couldn't add an ewarn easily here to instruct a user what to do here without going through the process of breaking the SSL flags out and that is a *major* change for user to go through.  Rather I added a comment back to this bug.  Besides, this is masked and libressl isn't a default use case, so the users hitting this should be able to figure it out by checking out this bug.

I'm also not sure if ffmpeg allows things like gnutls and openssl to be selected at the same time. I need feedback from upstream (you) on my earlier proposals before I try to make less lazy patches. 

> (In reply to Joe Kappus from comment #7)
> > Submitting a patch only to get it denied by you is not a logical application
> > of my time.  At this point this bug has only served in documenting your bad
> > behavior.
> 
> Don't believe your crystal ball so much :)
> 

It doesn't solve any of your concerns, just fixes the original reporter's.

> > If you don't like the transition plan take it out on hasufell and
> > friends, not on the userbase.  Thanks.
> 
> Well, look at the assignee of the bug.

I know, I've had to gripe at him before and he's tough to get a hold of. None of this is ideal.
Comment 11 Alexis Ballier gentoo-dev 2016-02-16 23:06:55 UTC
(In reply to Joe Kappus from comment #10)
> I'm also not sure if ffmpeg allows things like gnutls and openssl to be
> selected at the same time. I need feedback from upstream (you) on my earlier
> proposals before I try to make less lazy patches. 

Yes, it allows it, but the lazy way: it won't choke if you enable both but will use what it prefers.

For openssl, I can see it is used in two parts:
1. tls (https & rtmps) support
2. rtmp(t)e support

for tls, if you skip windows & osx apis, it can use gnutls & openssl. it'll not build openssl support if you enable gnutls.

for rtmp(t)e, it can use gmp, gcrypt or openssl, in that order: meaning, you enable gmp, you don't build gcrypt nor openssl rtmpe support. But this is valid only if you don't use librtmp, in which case it'll use librtmp only: this is handled by USE=librtmp... (and crypto support is handled by media-video/rtmpdump useflags)

As much as I'd like to have feature-based useflags for ffmpeg, it seems better to have dep-based useflags as upstream provides. Another striking example where feature-based useflags would fail is AAC: https://trac.ffmpeg.org/wiki/Encode/AAC


Not sure what exactly were your other proposals, but something like CURL_SSL won't work (you don't have a 1:1 mapping as openssl is not used in only one part) and a warning if USE="-openssl libressl" was the proper way before REQUIRED_USE appeared, but these days REQUIRED_USE should be used (which isn't ideal either, but still better since you get the notification before you actually build the package).
Comment 12 Alexis Ballier gentoo-dev 2016-02-17 21:44:29 UTC
(In reply to Alexis Ballier from comment #9)
> Do you plan to document USE="-openssl libressl" is not meant to be used?
> (e.g. on the wiki or the migration plan)
> If not, users will get an error message that is usually hard to understand.
> Or worse: some packages *might* use the opposite logic. I think this needs
> coordination from the "libressl team" to unify ebuild behavior on this side.
> This is basically why I didn't go the lazy way to simply add the
> REQUIRED_USE line.


Anthony, following your email on -dev, could you please advise on the above ? Thanks.
Comment 13 Alexis Ballier gentoo-dev 2016-12-05 13:52:50 UTC
*** Bug 601584 has been marked as a duplicate of this bug. ***
Comment 14 Alexis Ballier gentoo-dev 2017-01-27 18:12:47 UTC
*** Bug 607412 has been marked as a duplicate of this bug. ***
Comment 15 Marek Behún 2017-01-27 18:21:45 UTC
/o\ Already one year and nothing done here? Are you people insane? Today I could not emerge stable version of chromium with system-ffmpeg because it depends on >=ffmpeg-3, and ffmpeg-3 in the tree does not support libressl yet.

So I created #607412 where there are also attached patches that work just the way ffmpeg-2 ebuild works. If this way is not acceptable to you, please write here how would you like to solve this issue, and I am willing to create patches for you.

One year, guys... /o\
Comment 16 Rok Kralj 2017-05-03 09:32:35 UTC
Try to open a bug on libressl overlay github page. You will probably have more luck.
Comment 17 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2017-11-11 08:13:24 UTC
(In reply to Alexis Ballier from comment #12)
> (In reply to Alexis Ballier from comment #9)
> > Do you plan to document USE="-openssl libressl" is not meant to be used?
> > (e.g. on the wiki or the migration plan)
> > If not, users will get an error message that is usually hard to understand.
> > Or worse: some packages *might* use the opposite logic. I think this needs
> > coordination from the "libressl team" to unify ebuild behavior on this side.
> > This is basically why I didn't go the lazy way to simply add the
> > REQUIRED_USE line.
> 
> 
> Anthony, following your email on -dev, could you please advise on the above
> ? Thanks.

It's explained in detail on [1]. Are you going to block LibreSSL much longer?

[1]:https://wiki.gentoo.org/wiki/Project:LibreSSL
Comment 18 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2017-11-11 08:19:52 UTC
Also, if you really do care about users not being confused, you could start by stopping to use custom meanings for gnutls/openssl flags instead of USE=ssl as used almost everywhere else in Gentoo.
Comment 19 Rok Kralj 2017-12-27 15:02:08 UTC
Today we are celebrating the second anniversary of this bug. Yupeee!
Comment 20 Alexis Ballier gentoo-dev 2018-01-05 13:29:13 UTC
(In reply to Michał Górny from comment #17)
> It's explained in detail on [1]. Are you going to block LibreSSL much longer?
> 
> [1]:https://wiki.gentoo.org/wiki/Project:LibreSSL

Where does it say anything about the behavior of USE="openssl libressl" vs USE="-openssl libressl" ?

(In reply to Michał Górny from comment #18)
> Also, if you really do care about users not being confused, you could start
> by stopping to use custom meanings for gnutls/openssl flags instead of
> USE=ssl as used almost everywhere else in Gentoo.

Please take some time to read the comments here, or even better, ffmpeg's configure, before making uninformed requests: The ssl useflag logic does not apply here unless shown otherwise.
Comment 21 jospezial 2018-02-17 13:43:25 UTC
!!! Problem resolving dependencies for media-video/ffmpeg
... done!

!!! The ebuild selected to satisfy "ffmpeg" has unmet requirements.
- media-video/ffmpeg-3.4.2::libressl USE="X alsa bluray bzip2 cdio encode fdk fontconfig gme gpl gsm hardcoded-tables iconv jack jpeg2k ladspa libass libdrm libressl librtmp libv4l lzma modplug mp3 network openal opengl openh264 opus postproc pulseaudio rubberband sdl speex ssh svg theora threads truetype twolame v4l vaapi vdpau vorbis vpx wavpack webp x264 x265 xcb xvid zlib zvbi (-altivec) -amr -amrenc (-appkit) -bs2b -celt -chromaprint -chromium -cpudetection -debug -doc -flite -frei0r -fribidi -gcrypt -gmp -gnutls -iec61883 -ieee1394 -kvazaar -libcaca -libilbc -libsoxr (-mipsdspr1) (-mipsdspr2) (-mipsfpu) (-mmal) -nvenc -openssl -oss -pic -samba -snappy -static-libs -test -zeromq -zimg" ABI_X86="32 (64) (-x32)" CPU_FLAGS_X86="mmx mmxext sse sse2 sse3 ssse3 -3dnow -3dnowext -aes -avx -avx2 -fma3 -fma4 -sse4_1 -sse4_2 -xop" FFTOOLS="aviocat cws2fws ffescape ffeval ffhash fourcc2pixfmt graph2dot ismindex pktdumper qt-faststart sidxindex trasher"

  The following REQUIRED_USE flag constraints are unsatisfied:
    libressl? ( openssl )

  The above constraints are a subset of the following complete expression:
    libressl? ( openssl ) libv4l? ( v4l ) fftools_cws2fws? ( zlib ) test? ( encode ) postproc? ( gpl ) frei0r? ( gpl ) cdio? ( gpl ) samba? ( gpl ) encode? ( x264? ( gpl ) x265? ( gpl ) xvid? ( gpl ) X? ( !xcb? ( gpl ) ) ) arm64? ( cpu_flags_arm_v8 ) cpu_flags_arm_v8? ( cpu_flags_arm_vfpv3 cpu_flags_arm_neon ) cpu_flags_arm_neon? ( cpu_flags_arm_thumb2 cpu_flags_arm_vfp ) cpu_flags_arm_vfpv3? ( cpu_flags_arm_vfp ) cpu_flags_arm_thumb2? ( cpu_flags_arm_v6 ) cpu_flags_arm_v6? ( cpu_flags_arm_thumb ) cpu_flags_x86_avx2? ( cpu_flags_x86_avx ) cpu_flags_x86_fma4? ( cpu_flags_x86_avx ) cpu_flags_x86_fma3? ( cpu_flags_x86_avx ) cpu_flags_x86_xop? ( cpu_flags_x86_avx ) cpu_flags_x86_avx? ( cpu_flags_x86_sse4_2 ) cpu_flags_x86_aes? ( cpu_flags_x86_sse4_2 ) cpu_flags_x86_sse4_2? ( cpu_flags_x86_sse4_1 ) cpu_flags_x86_sse4_1? ( cpu_flags_x86_ssse3 ) cpu_flags_x86_ssse3? ( cpu_flags_x86_sse3 ) cpu_flags_x86_sse3? ( cpu_flags_x86_sse2 ) cpu_flags_x86_sse2? ( cpu_flags_x86_sse ) cpu_flags_x86_sse? ( cpu_flags_x86_mmxext ) cpu_flags_x86_mmxext? ( cpu_flags_x86_mmx ) cpu_flags_x86_3dnowext? ( cpu_flags_x86_3dnow ) cpu_flags_x86_3dnow? ( cpu_flags_x86_mmx )


https://github.com/gentoo/libressl/commit/e3d98b49e663c42df800d4c982c4452a7d6ecb89

" media-video/ffmpeg: version bump to 3.3.6/3.4.2

add `libressl? ( openssl )` to `REQUIRED_USE` for the repository even
though it's unlikely to to be merged into ::gentoo"



=================================================================
                        Package Settings
=================================================================

media-video/ffmpeg-3.4.1::libressl was built with the following:
USE="X alsa bluray bzip2 cdio encode fdk fontconfig gme gpl gsm hardcoded-tables iconv jack jpeg2k ladspa libass libressl librtmp libv4l lzma modplug mp3 network openal opengl openh264 opus postproc pulseaudio rubberband sdl speex ssh svg theora threads truetype twolame v4l vaapi vdpau vorbis vpx wavpack webp x264 x265 xcb xvid zlib zvbi (-altivec) -amr -amrenc -bs2b -celt -chromaprint -chromium -cpudetection -debug -doc -flite -frei0r -fribidi -gcrypt -gmp -gnutls -iec61883 -ieee1394 -kvazaar -libcaca -libilbc -libsoxr (-mipsdspr1) (-mipsdspr2) (-mipsfpu) (-mmal) -nvenc -openssl -oss -pic -samba -snappy -static-libs -test -zeromq -zimg" ABI_X86="32 (64) (-x32)" CPU_FLAGS_X86="mmx mmxext sse sse2 sse3 ssse3 -3dnow -3dnowext -aes -avx -avx2 -fma3 -fma4 -sse4_1 -sse4_2 -xop" FFTOOLS="aviocat cws2fws ffescape ffeval ffhash fourcc2pixfmt graph2dot ismindex pktdumper qt-faststart sidxindex trasher"




I have globally set libressl and -openssl
Comment 22 Larry the Git Cow gentoo-dev 2018-04-24 17:57:57 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1652735710213c2fffbec3ed30e0363cceb120e8

commit 1652735710213c2fffbec3ed30e0363cceb120e8
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2018-04-23 19:17:28 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2018-04-24 17:57:00 +0000

    media-video/ffmpeg: add support for libtls (LibreSSL)
    
    Bug: https://bugs.gentoo.org/653814
    Closes: https://bugs.gentoo.org/569818
    Package-Manager: Portage-2.3.31, Repoman-2.3.9
    Closes: https://github.com/gentoo/gentoo/pull/8117

 media-video/ffmpeg/ffmpeg-4.0.ebuild  | 18 ++++++++++++------
 media-video/ffmpeg/ffmpeg-9999.ebuild | 18 ++++++++++++------
 2 files changed, 24 insertions(+), 12 deletions(-)
Comment 23 Larry the Git Cow gentoo-dev 2019-03-05 20:15:15 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/proj/libressl.git/commit/?id=f16bab74560cd18d976b937bd257d5516aa1bbfd

commit f16bab74560cd18d976b937bd257d5516aa1bbfd
Author:     Stefan Strogin <stefan.strogin@gmail.com>
AuthorDate: 2019-03-05 20:12:58 +0000
Commit:     Stefan Strogin <stefan.strogin@gmail.com>
CommitDate: 2019-03-05 20:12:58 +0000

    media-video/ffmpeg: drop; fixed upstream and in gentoo.git
    
    Bug: https://bugs.gentoo.org/569818
    Package-Manager: Portage-2.3.62, Repoman-2.3.12
    Signed-off-by: Stefan Strogin <stefan.strogin@gmail.com>

 media-video/ffmpeg/Manifest                        |   5 -
 media-video/ffmpeg/ffmpeg-3.2.6.ebuild             | 469 -------------------
 media-video/ffmpeg/ffmpeg-3.2.7.ebuild             | 469 -------------------
 media-video/ffmpeg/ffmpeg-3.3.4.ebuild             | 515 ---------------------
 media-video/ffmpeg/ffmpeg-3.3.6.ebuild             | 515 ---------------------
 media-video/ffmpeg/ffmpeg-3.4.5.ebuild             | 493 --------------------
 media-video/ffmpeg/files/chromium.patch            |  36 --
 media-video/ffmpeg/files/ffmpeg-3.2-libressl.patch |  57 ---
 media-video/ffmpeg/files/ffmpeg-3.3-libressl.patch |  57 ---
 media-video/ffmpeg/files/ffmpeg32-openjpeg22.patch | 106 -----
 media-video/ffmpeg/files/openjpeg22.patch          | 106 -----
 media-video/ffmpeg/files/openjpeg23.patch          | 109 -----
 media-video/ffmpeg/metadata.xml                    |  66 ---
 13 files changed, 3003 deletions(-)