Fossil SCM
Expanded the section on --with-openssl=none in www/build.wiki to explain why adding that option is a bad idea, what to do instead, and to point to the newly expanded OpenSSL discussion in www/ssl.wiki for more information.
Commit
4f810279ceee61764a3318d20c42aeab1866d6dbd8e1724a2ab86139f7a469f6
Parent
5280c1ab9a05418…
1 file changed
+23
-2
+23
-2
| --- www/build.wiki | ||
| +++ www/build.wiki | ||
| @@ -78,12 +78,33 @@ | ||
| 78 | 78 | <li><i>(Optional, Unix only)</i> |
| 79 | 79 | Run <b>./configure</b> to construct a makefile. |
| 80 | 80 | |
| 81 | 81 | <ol type="a"> |
| 82 | 82 | <li><p> |
| 83 | -If you do not have the OpenSSL library installed on your system, then | |
| 84 | -add <b>--with-openssl=none</b> to omit the https functionality. | |
| 83 | +The build system for Fossil on Unix-like systems assumes that the | |
| 84 | +OpenSSL development and runtime files are available on your system, | |
| 85 | +because unprotected repositories are trivial to attack otherwise. | |
| 86 | +Indeed, some public Fossil repositories — including Fossil's own — today | |
| 87 | +run in an HTTPS-only mode, so that you can't even do an anonymous clone | |
| 88 | +from them without using the TLS features added to Fossil by OpenSSL. To | |
| 89 | +weaken that stance could allow a | |
| 90 | +[https://en.wikipedia.org/wiki/Man-in-the-middle_attack|man in the | |
| 91 | +middle attack], such as one that substitutes malicious code into your | |
| 92 | +Fossil repository clone.</p> | |
| 93 | + | |
| 94 | +<p>You can force the Fossil build system to avoid searching for, building | |
| 95 | +against, and linking to the OpenSSL library by passing | |
| 96 | +<b>--with-openssl=none</b> to the <tt>configure</tt> script.</p> | |
| 97 | + | |
| 98 | +<p>If you do not have the OpenSSL development libraries on your system, | |
| 99 | +we recommend that you install them, typically via your OS's package | |
| 100 | +manager. The Fossil build system goes to a lot of effort to seek these | |
| 101 | +out wherever they may be found, so that is typically all you need to | |
| 102 | +do.</p> | |
| 103 | + | |
| 104 | +<p>For more advanced use cases, see the [./ssl.wiki#client|OpenSSL | |
| 105 | +discussion in the "TLS and Fossil" document].</p> | |
| 85 | 106 | |
| 86 | 107 | <li><p> |
| 87 | 108 | To build a statically linked binary (suitable for use inside a chroot |
| 88 | 109 | jail) add the <b>--static</b> option. |
| 89 | 110 | |
| 90 | 111 |
| --- www/build.wiki | |
| +++ www/build.wiki | |
| @@ -78,12 +78,33 @@ | |
| 78 | <li><i>(Optional, Unix only)</i> |
| 79 | Run <b>./configure</b> to construct a makefile. |
| 80 | |
| 81 | <ol type="a"> |
| 82 | <li><p> |
| 83 | If you do not have the OpenSSL library installed on your system, then |
| 84 | add <b>--with-openssl=none</b> to omit the https functionality. |
| 85 | |
| 86 | <li><p> |
| 87 | To build a statically linked binary (suitable for use inside a chroot |
| 88 | jail) add the <b>--static</b> option. |
| 89 | |
| 90 |
| --- www/build.wiki | |
| +++ www/build.wiki | |
| @@ -78,12 +78,33 @@ | |
| 78 | <li><i>(Optional, Unix only)</i> |
| 79 | Run <b>./configure</b> to construct a makefile. |
| 80 | |
| 81 | <ol type="a"> |
| 82 | <li><p> |
| 83 | The build system for Fossil on Unix-like systems assumes that the |
| 84 | OpenSSL development and runtime files are available on your system, |
| 85 | because unprotected repositories are trivial to attack otherwise. |
| 86 | Indeed, some public Fossil repositories — including Fossil's own — today |
| 87 | run in an HTTPS-only mode, so that you can't even do an anonymous clone |
| 88 | from them without using the TLS features added to Fossil by OpenSSL. To |
| 89 | weaken that stance could allow a |
| 90 | [https://en.wikipedia.org/wiki/Man-in-the-middle_attack|man in the |
| 91 | middle attack], such as one that substitutes malicious code into your |
| 92 | Fossil repository clone.</p> |
| 93 | |
| 94 | <p>You can force the Fossil build system to avoid searching for, building |
| 95 | against, and linking to the OpenSSL library by passing |
| 96 | <b>--with-openssl=none</b> to the <tt>configure</tt> script.</p> |
| 97 | |
| 98 | <p>If you do not have the OpenSSL development libraries on your system, |
| 99 | we recommend that you install them, typically via your OS's package |
| 100 | manager. The Fossil build system goes to a lot of effort to seek these |
| 101 | out wherever they may be found, so that is typically all you need to |
| 102 | do.</p> |
| 103 | |
| 104 | <p>For more advanced use cases, see the [./ssl.wiki#client|OpenSSL |
| 105 | discussion in the "TLS and Fossil" document].</p> |
| 106 | |
| 107 | <li><p> |
| 108 | To build a statically linked binary (suitable for use inside a chroot |
| 109 | jail) add the <b>--static</b> option. |
| 110 | |
| 111 |