[SOLVED] Compile ports from source

Started by interfaSys, January 15, 2016, 02:08:19 PM

Previous topic - Next topic
January 15, 2016, 02:08:19 PM Last Edit: January 18, 2016, 07:39:18 AM by franco
Since OPNsense can be simply enabled on top of FreeBSD, does that mean, that I can simply fetch the list of packages and manually compile them using something like portmaster, using my custom make.conf containing security enabled cflags?

The ports tree is fully in sync with FreeBSD, updated once a day most days.. On the box, do:

# pkg install git
# cd /usr
# git clone https://github.com/opnsense/ports
# cd /etc
# fetch https://raw.githubusercontent.com/opnsense/tools/master/config/15.7/make.conf

You should keep the make.conf defaults on top of your own modifications to avoid package dependency clashes. (Since you know portmaster, you probably know what to do in this case. :) )

A full list of binary packages directly installed via pkg can be found here:

https://github.com/opnsense/tools/blob/master/config/15.7/ports.conf

If you will share those modifications with us we can discuss and merge them into the standard build. I'm thinking Shawn from the HardenedBSD project would be happy to review as well.

Thanks for that, very useful.

I've noticed that stack protection has been added to some opnsense packages, like Suricata, that would have been the first thing I would have added.

Where are the cflags stored? They're not in the make.conf nor in the makefile.

If there's something in there it's what the individudal ports configurations already have... It's a bit hidden in the ports tree, generally:

# cd /usr/ports/your/port
# git grep ^CFLAGS

There may be some options that are sneaked in by default by either the individual ports configure stage (suricata is a good example, it doesn't really like CFLAGS overrides and overrides it again) or that are in the ports framework somewhere in:

# cd /usr/ports/Mk
# git grep ^CFLAGS

For FreeBSD, this would be the place to enable flags by default, for us it's probably make.conf since we don't want to diverge too much in the ports tree itself.

Thanks.  -fstack-protector is turned on by default.

Just did some tests and Clang in base is too old to be able to use some flags (fstack-protector-strong, -Wl,-z,relro,-z,now).
Is there any reason the project is not using a newer clang? A major FreeBSD branch usually stays for years with an old compiler.

We use the base toolchain to not overcomplicate or introduce weirdness we can't get proper support for (base/kernel itself). Also, I don't know of anybody using clang from ports yet. A newer clang can surely be used there, but it needs test coverage, discussion and knowledge that I do not possess. :)

OK. I definitely think base/kernel should use the default compiler, but I'll experiment with clang from ports for ports

I know this is a stale thread but a GitHub issue referenced these *very early* instructions that no longer work:

TLDR:

https://github.com/opnsense/ports/issues/211#issuecomment-2525551782

Or if you fancy documentation:

https://docs.opnsense.org/manual/software_included.html#the-ports-tree


Cheers,
Franco