In file included from /var/tmp/portage/dev-qt/qtcore-4.8.7-r2/work/qt-everywhere-opensource-src-4.8.7/src/network/ssl/qsslsocket_openssl_symbols.cpp:47:0: /var/tmp/portage/dev-qt/qtcore-4.8.7-r2/work/qt-everywhere-opensource-src-4.8.7/src/network/ssl/qsslsocket_openssl_symbols.cpp: In function ‘const SSL_METHOD* q_SSLv3_client_method()’: /var/tmp/portage/dev-qt/qtcore-4.8.7-r2/work/qt-everywhere-opensource-src-4.8.7/src/network/ssl/qsslsocket_openssl_symbols_p.h:169:39: error: ‘SSLv3_client_method’ was not declared in this scope ret q_##func(arg) { funcret func(a); } ^ /var/tmp/portage/dev-qt/qtcore-4.8.7-r2/work/qt-everywhere-opensource-src-4.8.7/src/network/ssl/qsslsocket_openssl_symbols.cpp:231:1: note: in expansion of macro ‘DEFINEFUNC’ $ cat emerge-info.txt ----------------------------------------------------------------- This is an unstable amd64 chroot image (named amd64-hardened-unstable_20160522-095633) at a hardened host acting as a tinderbox. ----------------------------------------------------------------- make.conf: USE="mmx sse sse2 pax_kernel xtpax -cdinstall -oci8 -bindist custom-optimization dvb extraengine fontconfig freetds gcj gpg -gtk3 gudev havege hdf5 ipv6 jadetex kerberos kvm libvirtd mod ois openexr pcre16 -pkcs11 postgres qml qt4 qt5 scripts sdl server sqlite sqlite3 sse4_1 ssl system-cairo theora threads -tools usbredir widgets wma wxwidgets X x265 xa xslt xvfb xvmc xz libressl curl_ssl_libressl -curl_ssl_openssl" ----------------------------------------------------------------- Portage 2.3.0_rc1 (python 2.7.11-final-0, hardened/linux/amd64, gcc-5.3.0, glibc-2.23-r2, 4.5.5-hardened-r2 x86_64) ================================================================= System uname: Linux-4.5.5-hardened-r2-x86_64-Intel-R-_Core-TM-_i7-3770_CPU_@_3.40GHz-with-gentoo-2.2 KiB Mem: 16157888 total, 3008264 free KiB Swap: 16777212 total, 16723480 free Timestamp of repository gentoo: Wed, 01 Jun 2016 15:38:52 +0000 sh bash 4.3_p42-r2 ld GNU ld (Gentoo 2.25.1 p1.1) 2.25.1 distcc 3.2rc1 x86_64-pc-linux-gnu [disabled] ccache version 3.2.5 [disabled] app-shells/bash: 4.3_p42-r2::gentoo dev-java/java-config: 2.2.0-r3::gentoo dev-lang/perl: 5.24.0::gentoo dev-lang/python: 2.7.11-r2::gentoo, 3.4.3-r7::gentoo, 3.5.1-r2::gentoo dev-util/ccache: 3.2.5::gentoo dev-util/cmake: 3.5.2-r1::gentoo sys-apps/baselayout: 2.2::gentoo sys-apps/openrc: 0.21::gentoo sys-apps/sandbox: 2.10-r2::gentoo sys-devel/autoconf: 2.13::gentoo, 2.69-r2::gentoo sys-devel/automake: 1.9.6-r4::gentoo, 1.10.3-r2::gentoo, 1.11.6-r2::gentoo, 1.12.6-r1::gentoo, 1.13.4-r1::gentoo, 1.14.1-r1::gentoo, 1.15-r2::gentoo sys-devel/binutils: 2.25.1-r1::gentoo sys-devel/gcc: 4.9.3::gentoo, 5.3.0::gentoo sys-devel/gcc-config: 1.8-r1::gentoo sys-devel/libtool: 2.4.6-r2::gentoo sys-devel/make: 4.2-r2::gentoo sys-kernel/linux-headers: 4.6::gentoo (virtual/os-headers) sys-libs/glibc: 2.23-r2::gentoo Repositories: gentoo location: /usr/portage sync-type: rsync sync-uri: rsync://rsync.gentoo.org/gentoo-portage priority: 1 local location: /usr/local/portage masters: gentoo priority: 2 ACCEPT_KEYWORDS="amd64 ~amd64" ACCEPT_LICENSE="*" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=native -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /etc/omega.conf /etc/stunnel/stunnel.conf /usr/lib64/fax /usr/share/config /usr/share/easy-rsa /usr/share/themes/oxygen-gtk/gtk-2.0 /var/lib/hsqldb /var/rancid/.cloginrc /var/spool/fax/etc" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php7.0/ext-active/ /etc/php/cgi-php7.0/ext-active/ /etc/php/cli-php7.0/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-march=native -O2 -pipe" DISTDIR="/var/tmp/distfiles" EMERGE_DEFAULT_OPTS="--verbose-conflicts --color=n --nospinner --tree --quiet-build" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync network-sandbox parallel-fetch preserve-libs protect-owned sandbox sfperms strict test-fail-continue unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://ftp.uni-erlangen.de/pub/mirrors/gentoo rsync://mirror.netcologne.de/gentoo/ ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gor.bytemark.co.uk/gentoo/ rsync://ftp.snt.utwente.nl/gentoo" LANG="en_US.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j1" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git" PORTAGE_TMPDIR="/var/tmp" USE="X acl amd64 berkdb bzip2 cli cracklib crypt custom-optimization cxx dri dvb extraengine fontconfig freetds gcj gdbm gpg gudev hardened havege hdf5 iconv ipv6 jadetex justify kerberos kvm libressl libvirtd mmx mmxext mod modules multilib ncurses nls nptl ois openexr openmp pam pax_kernel pcre pcre16 pie postgres qml qt4 qt5 readline scripts sdl seccomp server session sqlite sqlite3 sse sse2 sse4_1 ssl ssp system-cairo tcpd theora threads unicode urandom usbredir widgets wma wxwidgets x265 xa xattr xslt xtpax xvfb xvmc xz zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="aes avx mmx mmxext popcnt sse sse2 sse3 sse4_1 sse4_2 ssse3" CURL_SSL="libressl" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_4" RUBY_TARGETS="ruby20 ruby21" USERLAND="GNU" VIDEO_CARDS="intel i965" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CC, CPPFLAGS, CTARGET, CXX, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
Created attachment 436086 [details] dev-qt:qtcore-4.8.7-r2:20160601-184741.log.bz2
Created attachment 436088 [details] emerge-history.txt
Created attachment 436090 [details] environment
is this with libressl or with openssl[-sslv3] ?
(In reply to Davide Pesavento from comment #4) clearly libressl - as seen in comment #0 ;)
I ran into the same problem with =net-libs/libressl-2.4.0 in a VM I use for building, using vanilla gentoo (Linux blueprint.gcc.vanilla.amd64.greendragon 4.4.6-gentoo #1 SMP Fri May 13 20:50:10 UTC 2016 x86_64 AMD FX(tm)-4300 Quad-Core Processor AuthenticAMD GNU/Linux). This is related to newer versions removing SSLv3 support from libressl, though I have not searched for upstream bugs/improvements.
(In reply to Toralf Förster from comment #5) > (In reply to Davide Pesavento from comment #4) > clearly libressl - as seen in comment #0 ;) Have you considered filling a bug upstream? for qtcore 4 I see no open bugs: https://bugreports.qt.io/browse/QTBUG-52291?jql=text%20~%20%22qtcore%20libressl%22 so if you have no time to do it, I can make my build fail again and report a bug, but as you opened this here it would make more sense if you did it.
Upstream Bugticket: https://bugreports.qt.io/browse/QTBUG-53838
(In reply to Davide Pesavento from comment #4) > is this with libressl or with openssl[-sslv3] ? libressl-2.4.0 dropped sslv3 so that's what's going on here. you're going to hit it sooner or later with openssl too.
(In reply to Nils Gillmann (ng0) from comment #7) > Have you considered filling a bug upstream? for qtcore 4 I see no open bugs: > https://bugreports.qt.io/browse/QTBUG- > 52291?jql=text%20~%20%22qtcore%20libressl%22 > so if you have no time to do it, I can make my build fail again and report a > bug, but as you opened this here it would make more sense if you did it. (In reply to Nils Gillmann (ng0) from comment #8) > Upstream Bugticket: https://bugreports.qt.io/browse/QTBUG-53838 There's *zero* development on Qt4, the upstream repo is completely frozen, and has been so for a long time. I'm pretty sure they will not do anything about this issue.
(In reply to Anthony Basile from comment #9) > (In reply to Davide Pesavento from comment #4) > > is this with libressl or with openssl[-sslv3] ? > > libressl-2.4.0 dropped sslv3 so that's what's going on here. you're going > to hit it sooner or later with openssl too. Except that I can still force a openssl[sslv3] dependency, at least until openssl completely drops SSLv3 too. But I don't think I can simply depend on <libressl-2.4, I expect older versions will be treecleaned soon after the first security bugs are found.
(In reply to Davide Pesavento from comment #11) > (In reply to Anthony Basile from comment #9) > > (In reply to Davide Pesavento from comment #4) > > > is this with libressl or with openssl[-sslv3] ? > > > > libressl-2.4.0 dropped sslv3 so that's what's going on here. you're going > > to hit it sooner or later with openssl too. > > Except that I can still force a openssl[sslv3] dependency, at least until > openssl completely drops SSLv3 too. But I don't think I can simply depend on > <libressl-2.4, I expect older versions will be treecleaned soon after the > first security bugs are found. no. they are maintaining 2.2, 2.3 and 2.4 in parallel. you should depend on <libressl-2.3
Created attachment 436490 [details, diff] Patch making SSLv3 optional Gentlemen, I found this nice little patch in our libressl overlay. I can't do that right now, but maybe one of you could try out if it still works with Qt 4.8.7 ? Thanks! :o)
*** Bug 585036 has been marked as a duplicate of this bug. ***
(In reply to Davide Pesavento from comment #10) > (In reply to Nils Gillmann (ng0) from comment #7) > > Have you considered filling a bug upstream? for qtcore 4 I see no open bugs: > > https://bugreports.qt.io/browse/QTBUG- > > 52291?jql=text%20~%20%22qtcore%20libressl%22 > > so if you have no time to do it, I can make my build fail again and report a > > bug, but as you opened this here it would make more sense if you did it. > > (In reply to Nils Gillmann (ng0) from comment #8) > > Upstream Bugticket: https://bugreports.qt.io/browse/QTBUG-53838 > > There's *zero* development on Qt4, the upstream repo is completely frozen, > and has been so for a long time. I'm pretty sure they will not do anything > about this issue. Oh, I wasn't aware of that. I thought qt4 and qt5 still co-exist in development
(In reply to Andreas K. Hüttel from comment #13) > I can't do that right now, but maybe one of you could try out if it still > works with Qt 4.8.7 ? > > Thanks! :o) I'll apply and see if it works. Thanks!
Created attachment 436548 [details] qtcore-4.8.5-libressl.patch.out (In reply to Andreas K. Hüttel from comment #13) > Created attachment 436490 [details, diff] [details, diff] > Patch making SSLv3 optional > > Gentlemen, I found this nice little patch in our libressl overlay. > > I can't do that right now, but maybe one of you could try out if it still > works with Qt 4.8.7 ? > > Thanks! :o) I'll adjust this patch, seems there have been changes from 4.8.5 to 4.8.7, did not look at it yet. This is just to tell you it does not simply work by throwing it into your /e/p/patches/$PN dir
Toralf, is this qtcore:4 from portage or libressl overlay? I use the libressl overlay and for me it builds this way.
bug 590342 also has a patch.
*** Bug 590342 has been marked as a duplicate of this bug. ***
Could the proposed patch be applied to qtcore:4? What else is missing?
well, qt4 is dead but /me do wonder if at least it is worth that the affected ebuild should masked the appropriate USE flags settings ?
*** Bug 593226 has been marked as a duplicate of this bug. ***
(In reply to Toralf Förster from comment #22) > well, qt4 is dead but /me do wonder if at least it is worth that the > affected ebuild should masked the appropriate USE flags settings ? I disagree. Qt4 development might have stopped, however, it is yet far away from being dead. Important packages, such as KDE or VirtualBox, still depend on it. Masking those packages would mean that LibreSSL cannot be employed as true replacement for OpenSSL on many Gentoo systems. That would really be a shame.
If it were me, I'd just mask the USE flag. We try to avoid carrying custom patches, especially for security-sensitive stuff.
(In reply to Tolga Dalman from comment #24) > (In reply to Toralf Förster from comment #22) > > well, qt4 is dead but /me do wonder if at least it is worth that the > > affected ebuild should masked the appropriate USE flags settings ? > > I disagree. Qt4 development might have stopped, however, it is yet far away > from being dead. Important packages, such as KDE or VirtualBox, still depend > on it. > > Masking those packages would mean that LibreSSL cannot be employed as true > replacement for OpenSSL on many Gentoo systems. That would really be a shame. VirtualBox and the bulk of KDE packages support Qt 5, but Qt 5 doesn't support libressl either, see bug #562050.
(In reply to Michael Palimaka (kensington) from comment #26) > (In reply to Tolga Dalman from comment #24) > > (In reply to Toralf Förster from comment #22) > > > well, qt4 is dead but /me do wonder if at least it is worth that the > > > affected ebuild should masked the appropriate USE flags settings ? > > > > I disagree. Qt4 development might have stopped, however, it is yet far away > > from being dead. Important packages, such as KDE or VirtualBox, still depend > > on it. > > > > Masking those packages would mean that LibreSSL cannot be employed as true > > replacement for OpenSSL on many Gentoo systems. That would really be a shame. > > VirtualBox and the bulk of KDE packages support Qt 5, but Qt 5 doesn't > support libressl either, see bug #562050. well ... not on my system: # equery d dev-qt/qtcore:4 ... app-emulation/virtualbox-5.0.20 (dev-qt/qtcore:4) ... kde-base/kdelibs-4.14.23 (>=dev-qt/qtcore-4.8.5:4[qt3support,ssl]) ... As for libressl and Qt5: I use qtnetwork[-ssl], thus, no dependency to OpenSSL on my system at all.
(In reply to Tolga Dalman from comment #27) > # equery d dev-qt/qtcore:4 > ... > app-emulation/virtualbox-5.0.20 (dev-qt/qtcore:4) Newer versions of virtualbox have a qt5 USE flag, we should consider stabilising. > kde-base/kdelibs-4.14.23 (>=dev-qt/qtcore-4.8.5:4[qt3support,ssl]) While kdelibs still receives bugfixes (for now), less and less stuff is depending on it. I'm expecting to see quite a substantial revdep cleanup in Gentoo in the coming months. > As for libressl and Qt5: I use qtnetwork[-ssl], thus, no dependency to > OpenSSL on my system at all. Noted, thanks.
(In reply to Michael Palimaka (kensington) from comment #28) > (In reply to Tolga Dalman from comment #27) > > kde-base/kdelibs-4.14.23 (>=dev-qt/qtcore-4.8.5:4[qt3support,ssl]) > > While kdelibs still receives bugfixes (for now), less and less stuff is > depending on it. I'm expecting to see quite a substantial revdep cleanup in > Gentoo in the coming months. I'm looking forward to it, though, the list I provided is by far complete. I really do not want to stress this, but what are the actual reasons not to apply the patch Andreas has found? Is there anything I could do to help out?
(In reply to Tolga Dalman from comment #29) > I really do not want to stress this, but what are the actual reasons not to > apply the patch Andreas has found? Is there anything I could do to help out? The main reason is that we (Qt team) traditionally try to avoid downstream patches as much as possible due to the maintenance burden and to avoid unforeseen complications (this goes double for patches that touch security-related stuff). The decision is ultimately up to Davide though.
*** Bug 605568 has been marked as a duplicate of this bug. ***
Ping. Could we decide what to do here and either merge or close the PR [1] appropriately? [1]:https://github.com/gentoo/gentoo/pull/4409
Apologies. I will handle this in the next couple of days.
https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=43c10326958cf85bccdb6270b5963cba45052412
