From 8877deb2ca1dc1b57b849ec380e8a5ee24026221 Mon Sep 17 00:00:00 2001 From: Alexei Lozovsky Date: Tue, 14 Jul 2020 21:37:02 +0300 Subject: [PATCH 1/9] More accurate DEB dependencies Strictly speaking, libthemis depends on the OpenSSL library, not the "openssl" binary. The "openssl" package installs the entire binary along with its man pages, etc. Instead, it is sufficient to depend only on the library. The library package is typically called "libssl1.1", with an ABI suffix. The default OpenSSL library version differs between distros so we cannot write it in Makefile, but we should depend on the OpenSSL library from the particular distribution. If we were using debhelper, this would have been resolved for us automagically, but we are using FPM. Therefore we will use the dependencies of "libssl-dev" package as a proxy for the current default OpenSSL library name. This should be good enough. --- Makefile | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index fe03790d4..b761c7110 100644 --- a/Makefile +++ b/Makefile @@ -610,7 +610,10 @@ LICENSE_NAME = "Apache License Version 2.0" DEB_CODENAME := $(shell lsb_release -cs 2> /dev/null) DEB_ARCHITECTURE = `dpkg --print-architecture 2>/dev/null` -DEB_DEPENDENCIES := --depends openssl +# If we were using native Debian packaging, dpkg-shlibdeps could supply us with +# accurate dependency information. However, we build packages manually, so we +# use dependencies of "libssl-dev" as a proxy. Typically this is "libssl1.1". +DEB_DEPENDENCIES += --depends $(shell apt-cache depends libssl-dev | grep 'Depends:' | cut -d: -f 2-) DEB_DEPENDENCIES_DEV += --depends "$(PACKAGE_NAME) = $(VERSION)+$(OS_CODENAME)" DEB_DEPENDENCIES_DEV += --depends libssl-dev DEB_DEPENDENCIES_THEMISPP = --depends "$(DEB_DEV_PACKAGE_NAME) = $(VERSION)+$(OS_CODENAME)" From aea370f3d6d9cabcf5e331773d36d56c2b893806 Mon Sep 17 00:00:00 2001 From: Alexei Lozovsky Date: Mon, 20 Jul 2020 20:55:56 +0300 Subject: [PATCH 2/9] More accurate RPM dependencies Similar to Debian/Ubuntu situation, the "openssl" package on RHEL/CentOS installs the "openssl" binary. The package with libraries only is called "openssl-libs", we should depend on that instead. RPM packages typically do not include ABI infromation in the name, though the distros here typically do not ship multiple ABIs of a library either so it's fine. --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index b761c7110..e66119bf6 100644 --- a/Makefile +++ b/Makefile @@ -619,7 +619,7 @@ DEB_DEPENDENCIES_DEV += --depends libssl-dev DEB_DEPENDENCIES_THEMISPP = --depends "$(DEB_DEV_PACKAGE_NAME) = $(VERSION)+$(OS_CODENAME)" DEB_DEPENDENCIES_JNI += --depends "$(PACKAGE_NAME) >= $(VERSION)+$(OS_CODENAME)" -RPM_DEPENDENCIES = --depends openssl +RPM_DEPENDENCIES += --depends openssl-libs RPM_DEPENDENCIES_DEV += --depends "$(PACKAGE_NAME) = $(RPM_VERSION)-$(RPM_RELEASE_NUM)" RPM_DEPENDENCIES_DEV += --depends openssl-devel RPM_DEPENDENCIES_THEMISPP = --depends "$(RPM_DEV_PACKAGE_NAME) = $(RPM_VERSION)-$(RPM_RELEASE_NUM)" From 4afdd5c69567109505e8bc2d6f88d7c92cfa6e54 Mon Sep 17 00:00:00 2001 From: Alexei Lozovsky Date: Mon, 20 Jul 2020 22:13:36 +0300 Subject: [PATCH 3/9] Changelog entry --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7b04b0989..ea58c26fd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -25,6 +25,7 @@ _Code:_ _Infrastructure:_ - Improved package split making `libthemis` thinner ([#678](https://github.com/cossacklabs/themis/pull/678)). +- Optimized dependencies of `libthemis` DEB and RPM packages ([#682](https://github.com/cossacklabs/themis/pull/682)). - AndroidThemis is now available on JCenter ([#679](https://github.com/cossacklabs/themis/pull/679)). ## [0.13.0](https://github.com/cossacklabs/themis/releases/tag/0.13.0), July 8th 2020 From 3e58664f7d333a11a3b1de774f9e9861153360f0 Mon Sep 17 00:00:00 2001 From: Alexei Lozovsky Date: Tue, 14 Jul 2020 21:05:12 +0300 Subject: [PATCH 4/9] Build BoringSSL package with suffix If we are building Themis with embedded BoringSSL, produce packages with "-boringssl" suffix in their names: - libthemis-boringssl - libthemis-boringssl-dev - libthemis-boringssl-devel Note that this affects only Themis Core packages. Other packages do not depend on the choice of the cryptographic backend and keep their names: - libthemispp-dev - libthemispp-devel - libthemis-jni - libphpthemis --- Makefile | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index e66119bf6..b6d8f84cb 100644 --- a/Makefile +++ b/Makefile @@ -604,6 +604,12 @@ endif # Packaging Themis Core: Linux distributions # +ifeq ($(ENGINE),boringssl) +ifeq ($(CRYPTO_ENGINE_LIB_PATH),) +PACKAGE_EMBEDDED_BORINGSSL := yes +endif +endif + COSSACKLABS_URL = https://www.cossacklabs.com MAINTAINER = "Cossack Labs Limited " LICENSE_NAME = "Apache License Version 2.0" @@ -641,9 +647,12 @@ else ifeq ($(OS_NAME),$(filter $(OS_NAME),RedHatEnterpriseServer CentOS)) RPM_LIBDIR := /$(shell [ $$(arch) == "x86_64" ] && echo "lib64" || echo "lib") endif -PACKAGE_NAME = libthemis -DEB_DEV_PACKAGE_NAME = libthemis-dev -RPM_DEV_PACKAGE_NAME = libthemis-devel +ifeq ($(PACKAGE_EMBEDDED_BORINGSSL),yes) +PACKAGE_SUFFIX = -boringssl +endif +PACKAGE_NAME = libthemis$(PACKAGE_SUFFIX) +DEB_DEV_PACKAGE_NAME = $(PACKAGE_NAME)-dev +RPM_DEV_PACKAGE_NAME = $(PACKAGE_NAME)-devel DEB_THEMISPP_PACKAGE_NAME = libthemispp-dev RPM_THEMISPP_PACKAGE_NAME = libthemispp-devel JNI_PACKAGE_NAME = libthemis-jni From e9b616a7be80502f5fd2d4507c5b1d9b1ddd6e5a Mon Sep 17 00:00:00 2001 From: Alexei Lozovsky Date: Tue, 14 Jul 2020 21:14:44 +0300 Subject: [PATCH 5/9] Exclude OpenSSL from dependencies of BoringSSL flavor If Themis Core package is built with embedded BoringSSL, it does not depend on the system OpenSSL anymore. Do not include OpenSSL library and development packages in dependencies of "libthemis-boringssl" and "libthemis-boringssl-dev" packages. --- Makefile | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/Makefile b/Makefile index b6d8f84cb..aa9185395 100644 --- a/Makefile +++ b/Makefile @@ -616,18 +616,26 @@ LICENSE_NAME = "Apache License Version 2.0" DEB_CODENAME := $(shell lsb_release -cs 2> /dev/null) DEB_ARCHITECTURE = `dpkg --print-architecture 2>/dev/null` +ifneq ($(PACKAGE_EMBEDDED_BORINGSSL),yes) # If we were using native Debian packaging, dpkg-shlibdeps could supply us with # accurate dependency information. However, we build packages manually, so we # use dependencies of "libssl-dev" as a proxy. Typically this is "libssl1.1". DEB_DEPENDENCIES += --depends $(shell apt-cache depends libssl-dev | grep 'Depends:' | cut -d: -f 2-) +endif DEB_DEPENDENCIES_DEV += --depends "$(PACKAGE_NAME) = $(VERSION)+$(OS_CODENAME)" +ifneq ($(PACKAGE_EMBEDDED_BORINGSSL),yes) DEB_DEPENDENCIES_DEV += --depends libssl-dev +endif DEB_DEPENDENCIES_THEMISPP = --depends "$(DEB_DEV_PACKAGE_NAME) = $(VERSION)+$(OS_CODENAME)" DEB_DEPENDENCIES_JNI += --depends "$(PACKAGE_NAME) >= $(VERSION)+$(OS_CODENAME)" +ifneq ($(PACKAGE_EMBEDDED_BORINGSSL),yes) RPM_DEPENDENCIES += --depends openssl-libs +endif RPM_DEPENDENCIES_DEV += --depends "$(PACKAGE_NAME) = $(RPM_VERSION)-$(RPM_RELEASE_NUM)" +ifneq ($(PACKAGE_EMBEDDED_BORINGSSL),yes) RPM_DEPENDENCIES_DEV += --depends openssl-devel +endif RPM_DEPENDENCIES_THEMISPP = --depends "$(RPM_DEV_PACKAGE_NAME) = $(RPM_VERSION)-$(RPM_RELEASE_NUM)" RPM_DEPENDENCIES_JNI += --depends "$(PACKAGE_NAME) >= $(RPM_VERSION)-$(RPM_RELEASE_NUM)" RPM_RELEASE_NUM = 1 From 19184fad0f622ae534c4a02cd9f41ec5da93afda Mon Sep 17 00:00:00 2001 From: Alexei Lozovsky Date: Tue, 14 Jul 2020 21:55:06 +0300 Subject: [PATCH 6/9] Make OpenSSL and BoringSSL packages conflicting Since both flavors of Themis Core install effectively the same files, make them conflicting: - libthemis conflicts with libthemis-boringssl - libthemis-dev conflicts with libthemis-boringssl-dev This prevents simultaneous installation. The implementation is not the most beatiful one, but we need to make it symmetric as either package conflicts with the other one. --- Makefile | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/Makefile b/Makefile index aa9185395..1f238640c 100644 --- a/Makefile +++ b/Makefile @@ -622,20 +622,24 @@ ifneq ($(PACKAGE_EMBEDDED_BORINGSSL),yes) # use dependencies of "libssl-dev" as a proxy. Typically this is "libssl1.1". DEB_DEPENDENCIES += --depends $(shell apt-cache depends libssl-dev | grep 'Depends:' | cut -d: -f 2-) endif +DEB_DEPENDENCIES += --conflicts $(OTHER_PACKAGE_NAME) DEB_DEPENDENCIES_DEV += --depends "$(PACKAGE_NAME) = $(VERSION)+$(OS_CODENAME)" ifneq ($(PACKAGE_EMBEDDED_BORINGSSL),yes) DEB_DEPENDENCIES_DEV += --depends libssl-dev endif +DEB_DEPENDENCIES_DEV += --conflicts $(OTHER_DEB_DEV_PACKAGE_NAME) DEB_DEPENDENCIES_THEMISPP = --depends "$(DEB_DEV_PACKAGE_NAME) = $(VERSION)+$(OS_CODENAME)" DEB_DEPENDENCIES_JNI += --depends "$(PACKAGE_NAME) >= $(VERSION)+$(OS_CODENAME)" ifneq ($(PACKAGE_EMBEDDED_BORINGSSL),yes) RPM_DEPENDENCIES += --depends openssl-libs endif +RPM_DEPENDENCIES += --conflicts $(OTHER_PACKAGE_NAME) RPM_DEPENDENCIES_DEV += --depends "$(PACKAGE_NAME) = $(RPM_VERSION)-$(RPM_RELEASE_NUM)" ifneq ($(PACKAGE_EMBEDDED_BORINGSSL),yes) RPM_DEPENDENCIES_DEV += --depends openssl-devel endif +RPM_DEPENDENCIES_DEV += --conflicts $(OTHER_RPM_DEV_PACKAGE_NAME) RPM_DEPENDENCIES_THEMISPP = --depends "$(RPM_DEV_PACKAGE_NAME) = $(RPM_VERSION)-$(RPM_RELEASE_NUM)" RPM_DEPENDENCIES_JNI += --depends "$(PACKAGE_NAME) >= $(RPM_VERSION)-$(RPM_RELEASE_NUM)" RPM_RELEASE_NUM = 1 @@ -665,6 +669,16 @@ DEB_THEMISPP_PACKAGE_NAME = libthemispp-dev RPM_THEMISPP_PACKAGE_NAME = libthemispp-devel JNI_PACKAGE_NAME = libthemis-jni +ifeq ($(PACKAGE_EMBEDDED_BORINGSSL),yes) +OTHER_PACKAGE_NAME = libthemis +OTHER_DEB_DEV_PACKAGE_NAME = libthemis-dev +OTHER_RPM_DEV_PACKAGE_NAME = libthemis-devel +else +OTHER_PACKAGE_NAME = libthemis-boringssl +OTHER_DEB_DEV_PACKAGE_NAME = libthemis-boringssl-dev +OTHER_RPM_DEV_PACKAGE_NAME = libthemis-boringssl-devel +endif + PACKAGE_CATEGORY = security SHORT_DESCRIPTION = Data security library for network communication and data storage RPM_SUMMARY = Data security library for network communication and data storage. \ From 793201bed1aef93a0ab0669a4a71e2d394c7db07 Mon Sep 17 00:00:00 2001 From: Alexei Lozovsky Date: Tue, 14 Jul 2020 21:56:53 +0300 Subject: [PATCH 7/9] Alternative dependencies for non-core packages Both OpenSSL and BoringSSL flavors of Themis Core provide the same ABI and can be used interchangeably. Make sure that both can satisfy dependencies of libthemispp, libthemis-jni, and libphpthemis packages. Note, however, that libthemis-boringssl cannot be used with libthemis-dev and vice versa. Also note that in this case we need to keep the version specs in parentheses because --depends value is directly substituted into DEB's "Depends:" field. FPM will not add parthenses for us this time. --- Makefile | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Makefile b/Makefile index 1f238640c..5c939d684 100644 --- a/Makefile +++ b/Makefile @@ -628,8 +628,8 @@ ifneq ($(PACKAGE_EMBEDDED_BORINGSSL),yes) DEB_DEPENDENCIES_DEV += --depends libssl-dev endif DEB_DEPENDENCIES_DEV += --conflicts $(OTHER_DEB_DEV_PACKAGE_NAME) -DEB_DEPENDENCIES_THEMISPP = --depends "$(DEB_DEV_PACKAGE_NAME) = $(VERSION)+$(OS_CODENAME)" -DEB_DEPENDENCIES_JNI += --depends "$(PACKAGE_NAME) >= $(VERSION)+$(OS_CODENAME)" +DEB_DEPENDENCIES_THEMISPP = --depends "$(DEB_DEV_PACKAGE_NAME) (= $(VERSION)+$(OS_CODENAME)) | $(OTHER_DEB_DEV_PACKAGE_NAME) (= $(VERSION)+$(OS_CODENAME))" +DEB_DEPENDENCIES_JNI += --depends "$(PACKAGE_NAME) (>= $(VERSION)+$(OS_CODENAME)) | $(OTHER_PACKAGE_NAME) >= ($(VERSION)+$(OS_CODENAME))" ifneq ($(PACKAGE_EMBEDDED_BORINGSSL),yes) RPM_DEPENDENCIES += --depends openssl-libs @@ -640,8 +640,8 @@ ifneq ($(PACKAGE_EMBEDDED_BORINGSSL),yes) RPM_DEPENDENCIES_DEV += --depends openssl-devel endif RPM_DEPENDENCIES_DEV += --conflicts $(OTHER_RPM_DEV_PACKAGE_NAME) -RPM_DEPENDENCIES_THEMISPP = --depends "$(RPM_DEV_PACKAGE_NAME) = $(RPM_VERSION)-$(RPM_RELEASE_NUM)" -RPM_DEPENDENCIES_JNI += --depends "$(PACKAGE_NAME) >= $(RPM_VERSION)-$(RPM_RELEASE_NUM)" +RPM_DEPENDENCIES_THEMISPP = --depends "($(RPM_DEV_PACKAGE_NAME) = $(RPM_VERSION)-$(RPM_RELEASE_NUM) or $(OTHER_RPM_DEV_PACKAGE_NAME) = $(RPM_VERSION)-$(RPM_RELEASE_NUM))" +RPM_DEPENDENCIES_JNI += --depends "($(PACKAGE_NAME) >= $(RPM_VERSION)-$(RPM_RELEASE_NUM) or $(OTHER_PACKAGE_NAME) >= $(RPM_VERSION)-$(RPM_RELEASE_NUM))" RPM_RELEASE_NUM = 1 OS_NAME := $(shell lsb_release -is 2>/dev/null || printf 'unknown') From 4878bda3ccc12ddfbfccbd2ce6e7bd1d33841467 Mon Sep 17 00:00:00 2001 From: Alexei Lozovsky Date: Tue, 21 Jul 2020 13:41:14 +0300 Subject: [PATCH 8/9] Accurate PHPThemis package dependencies Previously PHPThemis did not include in its dependencies at all. Make sure it depends on either OpenSSL or BoringSSL flavor of it, similar to the "libthemis-jni" package. --- Makefile | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index 5c939d684..52e075e0f 100644 --- a/Makefile +++ b/Makefile @@ -914,10 +914,11 @@ pkginfo: PHP_VERSION_FULL:=$(shell php -r "echo PHP_MAJOR_VERSION.'.'.PHP_MINOR_VERSION;" 2>/dev/null) ifeq ($(OS_CODENAME),jessie) - PHP_DEPENDENCIES:=php5 + PHP_DEPENDENCIES += --depends php5 else - PHP_DEPENDENCIES:=php$(PHP_VERSION_FULL) + PHP_DEPENDENCIES += --depends php$(PHP_VERSION_FULL) endif +PHP_DEPENDENCIES += --depends "$(PACKAGE_NAME) (>= $(VERSION)+$(OS_CODENAME)) | $(OTHER_PACKAGE_NAME) (>= $(VERSION)+$(OS_CODENAME))" PHP_PACKAGE_NAME:=libphpthemis-php$(PHP_VERSION_FULL) PHP_POST_INSTALL_SCRIPT:=./scripts/phpthemis_postinstall.sh @@ -937,7 +938,7 @@ deb_php: --package $(BIN_PATH)/deb/$(PHP_PACKAGE_NAME)_$(NAME_SUFFIX) \ --architecture $(DEB_ARCHITECTURE) \ --version $(VERSION)+$(OS_CODENAME) \ - --depends "$(PHP_DEPENDENCIES)" \ + $(PHP_DEPENDENCIES) \ --deb-priority optional \ --after-install $(PHP_POST_INSTALL_SCRIPT) \ --before-remove $(PHP_PRE_UNINSTALL_SCRIPT) \ From b1b7814ef792f1d600841f1c54b29f6038894b7e Mon Sep 17 00:00:00 2001 From: Alexei Lozovsky Date: Tue, 21 Jul 2020 14:45:01 +0300 Subject: [PATCH 9/9] Changelog entries --- CHANGELOG.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index ea58c26fd..19d358015 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,10 @@ Changes that are currently in development and have not been released yet. _Code:_ +- **Core** + + - `make deb` and `make rpm` with `ENGINE=boringssl` will now produce `libthemis-boringssl` packages with embedded BoringSSL ([#683](https://github.com/cossacklabs/themis/pull/683)). + - **Android** - AndroidThemis is now available on JCenter ([#679](https://github.com/cossacklabs/themis/pull/679)). @@ -18,6 +22,10 @@ _Code:_ - Minor dependency updates making the world a better place ([#680](https://github.com/cossacklabs/themis/pull/680)). +- **PHP** + + - `libphpthemis` packages for Debian/Ubuntu now have accurate dependencies ([#683](https://github.com/cossacklabs/themis/pull/683)). + - **WebAssembly** - Minor dependency updates making the world a better place ([#680](https://github.com/cossacklabs/themis/pull/680)). @@ -27,6 +35,7 @@ _Infrastructure:_ - Improved package split making `libthemis` thinner ([#678](https://github.com/cossacklabs/themis/pull/678)). - Optimized dependencies of `libthemis` DEB and RPM packages ([#682](https://github.com/cossacklabs/themis/pull/682)). - AndroidThemis is now available on JCenter ([#679](https://github.com/cossacklabs/themis/pull/679)). +- `make deb` and `make rpm` with `ENGINE=boringssl` will now produce `libthemis-boringssl` packages with embedded BoringSSL ([#683](https://github.com/cossacklabs/themis/pull/683)). ## [0.13.0](https://github.com/cossacklabs/themis/releases/tag/0.13.0), July 8th 2020