-
-
Notifications
You must be signed in to change notification settings - Fork 9.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Configure: do not check for an absolute prefix in cross-builds #16445
Conversation
Configure
Outdated
@@ -937,7 +937,8 @@ while (@argvcopy) | |||
{ | |||
$config{prefix}=$1; | |||
die "Directory given with --prefix MUST be absolute\n" | |||
unless file_name_is_absolute($config{prefix}); | |||
unless $user{CROSS_COMPILE} || |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the check needs to be moved down after all the options are parsed. And $config
should be used instead of $user
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The change seems OK to me now. However it is no longer acceptable with CLA: trivial. Could you please submit a regular CLA? https://www.openssl.org/policies/cla.html
@t8m is correct in that although this is a simple change, it steps outside the project comfort zone for legally trivial (a different measurement). |
Perhaps you could change the commit's e-mail address to use this old one? |
The check is always made according to the host platform's rules, which may not be true for true when the target platform is different, e.g. when cross-building for Windows on a Linux machine. So skip this check when used together with the `--cross-compile-prefix=` option. CLA: trivial Fixes #9520
Instead of using OpenSSL as a default backend, schannel builds will tap on the OS's TLS/SSL capabilities, meaning the exact feature set will depend on OS version (and possibly OS configuration settings). This should generally not pose a problem when running on a fairly recent (officially supported) Windows release (meaning Windows 10 or equivalent server version). The expected advantage of these builds is significantly smaller on-disk and in-memory footprint, faster and simpler builds, and all the upsides of avoiding a complex 3rd party library such an OpenSSL with its vulnerabilities and attack surface. One specific vulnerability that this will universally fix is CVE-2019-12572 which to this day is not fixed in OpenSSL, and in fact OpenSSL denies this has anything to do with OpenSSL itself, so there is little chance this will ever get addressed. This branch also allows to go back to the curl-for-win promise of not using any local patches, by dropping a necessary OpenSSL patch to be able to mitigate said CVE somewhat better. Another decisive moment was OpenSSL's recently laid out plans that made it unlikely that this, or other pending TLS/SSL/QUIC-related bits will get the expected attention in the foreseeable future. Ref: https://blog.mirch.io/2019/06/10/cve-2019-12572-pia-windows-privilege-escalation-malicious-openssl-engine/ Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12572 Ref: openssl/openssl#17151 Ref: openssl/openssl#16445 Ref: openssl/openssl#9520
No description provided.