[Bug 272816] pkgbase: caroot and openssl packages need reorganising

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=272816

            Bug ID: 272816
           Summary: pkgbase: caroot and openssl packages need reorganising
           Product: Base System
           Version: 13.1-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: misc
          Assignee: bugs@FreeBSD.org
          Reporter: dfr@rabson.org

A popular base container image for linux containers is the distroless family of
images (https://github.com/GoogleContainerTools/distroless).

For statically linked openssl based programs, there is a very small 'static'
image which contains just certificates and a few config files. For dynamically
linked program support there is also 'base' which adds in base system dynamic
libs as well as openssl libs. These help to reduce the attack surface on the
inside of the container as well as reducing the raw image size.

Trying to use pkgbase to build something like distroless-static isn't currently
possible since the FreeBSD-caroot package which contains the certificates also
depends on FreeBSD-openssl which has all the ssl dynamic libs. Building
something like distroless-base is almost possible but FreeBSD-openssl also
installs the openssl utility which isn't wanted and is ~0.7Mb in size.

Perhaps FreeBSD-caroot could split out the certificates into another package or
possibly just not depend on FreeBSD-openssl? To avoid installing
/usr/bin/openssl when adding SSL dynamic libs, perhaps FreeBSD-openssl could
split out the libs into FreeBSD-openssl-libs?

-- 
You are receiving this mail because:
You are the assignee for the bug.