Skip to content

Commit

Permalink
Package Themis Core with BoringSSL (#683)
Browse files Browse the repository at this point in the history 
* More accurate DEB dependencies

Strictly speaking, libthemis depends on the OpenSSL library, not the
"openssl" binary. The "openssl" package installs the entire binary
along with its man pages, etc. Instead, it is sufficient to depend
only on the library.

The library package is typically called "libssl1.1", with an ABI suffix.
The default OpenSSL library version differs between distros so we cannot
write it in Makefile, but we should depend on the OpenSSL library from
the particular distribution. If we were using debhelper, this would have
been resolved for us automagically, but we are using FPM. Therefore we
will use the dependencies of "libssl-dev" package as a proxy for the
current default OpenSSL library name. This should be good enough.

* More accurate RPM dependencies

Similar to Debian/Ubuntu situation, the "openssl" package on RHEL/CentOS
installs the "openssl" binary. The package with libraries only is called
"openssl-libs", we should depend on that instead.

RPM packages typically do not include ABI infromation in the name,
though the distros here typically do not ship multiple ABIs of a library
either so it's fine.

* Changelog entry

* Build BoringSSL package with suffix

If we are building Themis with embedded BoringSSL, produce packages with
"-boringssl" suffix in their names:

  - libthemis-boringssl
  - libthemis-boringssl-dev
  - libthemis-boringssl-devel

Note that this affects only Themis Core packages. Other packages do not
depend on the choice of the cryptographic backend and keep their names:

  - libthemispp-dev
  - libthemispp-devel
  - libthemis-jni
  - libphpthemis

* Exclude OpenSSL from dependencies of BoringSSL flavor

If Themis Core package is built with embedded BoringSSL, it does not
depend on the system OpenSSL anymore. Do not include OpenSSL library and
development packages in dependencies of "libthemis-boringssl" and
"libthemis-boringssl-dev" packages.

* Make OpenSSL and BoringSSL packages conflicting

Since both flavors of Themis Core install effectively the same files,
make them conflicting:

  - libthemis conflicts with libthemis-boringssl
  - libthemis-dev conflicts with libthemis-boringssl-dev

This prevents simultaneous installation.

The implementation is not the most beatiful one, but we need to make it
symmetric as either package conflicts with the other one.

* Alternative dependencies for non-core packages

Both OpenSSL and BoringSSL flavors of Themis Core provide the same ABI
and can be used interchangeably. Make sure that both can satisfy
dependencies of libthemispp, libthemis-jni, and libphpthemis packages.

Note, however, that libthemis-boringssl cannot be used with libthemis-dev
and vice versa.

Also note that in this case we need to keep the version specs in
parentheses because --depends value is directly substituted into DEB's
"Depends:" field. FPM will not add parthenses for us this time.

* Accurate PHPThemis package dependencies

Previously PHPThemis did not include in its dependencies at all. Make
sure it depends on either OpenSSL or BoringSSL flavor of it, similar to
the "libthemis-jni" package.
  • Loading branch information
@ilammy
ilammy authored Jul 23, 2020
1 parent 98ae844 commit 8ae934c
Show file tree
Hide file tree
Showing 2 changed files with 48 additions and 10 deletions.
6 changes: 6 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ _Code:_
- **Core**

- Include embedded BoringSSL into Soter for convenience ([#681](https://github.com/cossacklabs/themis/pull/681)).
- `make deb` and `make rpm` with `ENGINE=boringssl` will now produce `libthemis-boringssl` packages with embedded BoringSSL ([#683](https://github.com/cossacklabs/themis/pull/683)).

- **Android**

Expand All @@ -22,6 +23,10 @@ _Code:_

- Minor dependency updates making the world a better place ([#680](https://github.com/cossacklabs/themis/pull/680)).

- **PHP**

- `libphpthemis` packages for Debian/Ubuntu now have accurate dependencies ([#683](https://github.com/cossacklabs/themis/pull/683)).

- **WebAssembly**

- Minor dependency updates making the world a better place ([#680](https://github.com/cossacklabs/themis/pull/680)).
Expand All @@ -31,6 +36,7 @@ _Infrastructure:_
- Improved package split making `libthemis` thinner ([#678](https://github.com/cossacklabs/themis/pull/678)).
- Optimized dependencies of `libthemis` DEB and RPM packages ([#682](https://github.com/cossacklabs/themis/pull/682)).
- AndroidThemis is now available on JCenter ([#679](https://github.com/cossacklabs/themis/pull/679)).
- `make deb` and `make rpm` with `ENGINE=boringssl` will now produce `libthemis-boringssl` packages with embedded BoringSSL ([#683](https://github.com/cossacklabs/themis/pull/683)).

## [0.13.0](https://github.com/cossacklabs/themis/releases/tag/0.13.0), July 8th 2020

Expand Down
52 changes: 42 additions & 10 deletions Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -604,26 +604,44 @@ endif
# Packaging Themis Core: Linux distributions
#

ifeq ($(ENGINE),boringssl)
ifeq ($(CRYPTO_ENGINE_LIB_PATH),)
PACKAGE_EMBEDDED_BORINGSSL := yes
endif
endif

COSSACKLABS_URL = https://www.cossacklabs.com
MAINTAINER = "Cossack Labs Limited <[email protected]>"
LICENSE_NAME = "Apache License Version 2.0"

DEB_CODENAME := $(shell lsb_release -cs 2> /dev/null)
DEB_ARCHITECTURE = `dpkg --print-architecture 2>/dev/null`
ifneq ($(PACKAGE_EMBEDDED_BORINGSSL),yes)
# If we were using native Debian packaging, dpkg-shlibdeps could supply us with
# accurate dependency information. However, we build packages manually, so we
# use dependencies of "libssl-dev" as a proxy. Typically this is "libssl1.1".
DEB_DEPENDENCIES += --depends $(shell apt-cache depends libssl-dev | grep 'Depends:' | cut -d: -f 2- | tr -d ' ')
endif
DEB_DEPENDENCIES += --conflicts $(OTHER_PACKAGE_NAME)
DEB_DEPENDENCIES_DEV += --depends "$(PACKAGE_NAME) = $(VERSION)+$(OS_CODENAME)"
ifneq ($(PACKAGE_EMBEDDED_BORINGSSL),yes)
DEB_DEPENDENCIES_DEV += --depends libssl-dev
DEB_DEPENDENCIES_THEMISPP = --depends "$(DEB_DEV_PACKAGE_NAME) = $(VERSION)+$(OS_CODENAME)"
DEB_DEPENDENCIES_JNI += --depends "$(PACKAGE_NAME) >= $(VERSION)+$(OS_CODENAME)"
endif
DEB_DEPENDENCIES_DEV += --conflicts $(OTHER_DEB_DEV_PACKAGE_NAME)
DEB_DEPENDENCIES_THEMISPP = --depends "$(DEB_DEV_PACKAGE_NAME) (= $(VERSION)+$(OS_CODENAME)) | $(OTHER_DEB_DEV_PACKAGE_NAME) (= $(VERSION)+$(OS_CODENAME))"
DEB_DEPENDENCIES_JNI += --depends "$(PACKAGE_NAME) (>= $(VERSION)+$(OS_CODENAME)) | $(OTHER_PACKAGE_NAME) >= ($(VERSION)+$(OS_CODENAME))"

ifneq ($(PACKAGE_EMBEDDED_BORINGSSL),yes)
RPM_DEPENDENCIES += --depends openssl-libs
endif
RPM_DEPENDENCIES += --conflicts $(OTHER_PACKAGE_NAME)
RPM_DEPENDENCIES_DEV += --depends "$(PACKAGE_NAME) = $(RPM_VERSION)-$(RPM_RELEASE_NUM)"
ifneq ($(PACKAGE_EMBEDDED_BORINGSSL),yes)
RPM_DEPENDENCIES_DEV += --depends openssl-devel
RPM_DEPENDENCIES_THEMISPP = --depends "$(RPM_DEV_PACKAGE_NAME) = $(RPM_VERSION)-$(RPM_RELEASE_NUM)"
RPM_DEPENDENCIES_JNI += --depends "$(PACKAGE_NAME) >= $(RPM_VERSION)-$(RPM_RELEASE_NUM)"
endif
RPM_DEPENDENCIES_DEV += --conflicts $(OTHER_RPM_DEV_PACKAGE_NAME)
RPM_DEPENDENCIES_THEMISPP = --depends "($(RPM_DEV_PACKAGE_NAME) = $(RPM_VERSION)-$(RPM_RELEASE_NUM) or $(OTHER_RPM_DEV_PACKAGE_NAME) = $(RPM_VERSION)-$(RPM_RELEASE_NUM))"
RPM_DEPENDENCIES_JNI += --depends "($(PACKAGE_NAME) >= $(RPM_VERSION)-$(RPM_RELEASE_NUM) or $(OTHER_PACKAGE_NAME) >= $(RPM_VERSION)-$(RPM_RELEASE_NUM))"
RPM_RELEASE_NUM = 1

OS_NAME := $(shell lsb_release -is 2>/dev/null || printf 'unknown')
Expand All @@ -641,13 +659,26 @@ else ifeq ($(OS_NAME),$(filter $(OS_NAME),RedHatEnterpriseServer CentOS))
RPM_LIBDIR := /$(shell [ $$(arch) == "x86_64" ] && echo "lib64" || echo "lib")
endif

PACKAGE_NAME = libthemis
DEB_DEV_PACKAGE_NAME = libthemis-dev
RPM_DEV_PACKAGE_NAME = libthemis-devel
ifeq ($(PACKAGE_EMBEDDED_BORINGSSL),yes)
PACKAGE_SUFFIX = -boringssl
endif
PACKAGE_NAME = libthemis$(PACKAGE_SUFFIX)
DEB_DEV_PACKAGE_NAME = $(PACKAGE_NAME)-dev
RPM_DEV_PACKAGE_NAME = $(PACKAGE_NAME)-devel
DEB_THEMISPP_PACKAGE_NAME = libthemispp-dev
RPM_THEMISPP_PACKAGE_NAME = libthemispp-devel
JNI_PACKAGE_NAME = libthemis-jni

ifeq ($(PACKAGE_EMBEDDED_BORINGSSL),yes)
OTHER_PACKAGE_NAME = libthemis
OTHER_DEB_DEV_PACKAGE_NAME = libthemis-dev
OTHER_RPM_DEV_PACKAGE_NAME = libthemis-devel
else
OTHER_PACKAGE_NAME = libthemis-boringssl
OTHER_DEB_DEV_PACKAGE_NAME = libthemis-boringssl-dev
OTHER_RPM_DEV_PACKAGE_NAME = libthemis-boringssl-devel
endif

PACKAGE_CATEGORY = security
SHORT_DESCRIPTION = Data security library for network communication and data storage
RPM_SUMMARY = Data security library for network communication and data storage. \
Expand Down Expand Up @@ -883,10 +914,11 @@ pkginfo:

PHP_VERSION_FULL:=$(shell php -r "echo PHP_MAJOR_VERSION.'.'.PHP_MINOR_VERSION;" 2>/dev/null)
ifeq ($(OS_CODENAME),jessie)
PHP_DEPENDENCIES:=php5
PHP_DEPENDENCIES += --depends php5
else
PHP_DEPENDENCIES:=php$(PHP_VERSION_FULL)
PHP_DEPENDENCIES += --depends php$(PHP_VERSION_FULL)
endif
PHP_DEPENDENCIES += --depends "$(PACKAGE_NAME) (>= $(VERSION)+$(OS_CODENAME)) | $(OTHER_PACKAGE_NAME) (>= $(VERSION)+$(OS_CODENAME))"

PHP_PACKAGE_NAME:=libphpthemis-php$(PHP_VERSION_FULL)
PHP_POST_INSTALL_SCRIPT:=./scripts/phpthemis_postinstall.sh
Expand All @@ -906,7 +938,7 @@ deb_php:
--package $(BIN_PATH)/deb/$(PHP_PACKAGE_NAME)_$(NAME_SUFFIX) \
--architecture $(DEB_ARCHITECTURE) \
--version $(VERSION)+$(OS_CODENAME) \
--depends "$(PHP_DEPENDENCIES)" \
$(PHP_DEPENDENCIES) \
--deb-priority optional \
--after-install $(PHP_POST_INSTALL_SCRIPT) \
--before-remove $(PHP_PRE_UNINSTALL_SCRIPT) \
Expand Down

0 comments on commit 8ae934c

Please sign in to comment.