Hi there,
i'm finally coming around to update to 23.05 and just want to make sure to not F* up something
I want to keep TLS1.3 and thus openSSL. Of course, the image build fails if i just include libustream-openssl.
It build successfully if i also exclude libustream-mbedtls with -libustream-mbedtls. But in .config, there are a lot of defaults for mbedtls - is that an issue that needs to be tackled or are those defaults (like ciphers for example) automatically applied to openssl?
As you're on x86_64, just test the image beforehand - be it in a virtual machine (e.g. qemu/ kvm) or on the real iron booted from a USB stick, x86_64 is just easy in this regard (and even in the worst case you can recover easily).
The general "it works" can easily be tested, true. I'm more worried that some "hidden" configuration would maybe be amiss that could for example compromise security.
And there are no easy- or general answers to that, as it depends on the (unspecified) version you're coming from, as well as what additional packages you have installed and how your configuration deviates from defaults.
The only generic answer would be not retain configurations over a major version upgrade, and/ or carefully audit default-state-of-old-version, default-state-of-new-version, as well as your existing configuration delta vs. default-state-of-old-version and what you end up after applying your configuration relative to default-state-of-new-version. Not that this really helps you finding a solution, but I'm actually am quite serious about it (and look into sysupgrade -u, which might help your goal - or it might not, usage of that requires careful auditing as well).
To get a bit closer to reality, I really like OpenWrt on x86_64 as router, exactly because you can easily test things (including the sysupgrade from old- to new) from a USB stick, without endangering your installed system, while that doesn't help you omitting all care and auditing, it does make the process much nicer.
Thanks for the insights!
I'm currently on 22.03.3 and haven't really installed any additional packages or have crazy configs, "just" the setup of vlans, dhcp/dns and so on. But never done a major release upgrade.
But it really sounds like i should finally get around to bite the bullet and recreate my config as an UCI script to ease the audition/prevent obsolete configs to be carried over.
sysupgrade -u really sounds important here, never gave it second thought because the help explanation ( "skip from backup files that are equal to those in /rom" ) didn't ring a bell, but the explanation in https://openwrt.org/docs/techref/sysupgrade makes much more sense. Thanks for mentioning that!
I don't remember the reasoning, but I remember that a person with a greater knowledge than me, suggested putting all the minus-packages before the substitution packages in the list of PACKAGES, so in your case, I'd try:
Now, I don't know about cyphers, but I can tell you for sure that with at least one package (curl) the SSL library is a build-time dependency, so if you were to add curl to the list, it would still pull whatever SSL library it was built for (if I remember correctly, wolfssl for 22.03 and mbedtls for 23.05).
So definitely, no, not all packages will depend on openssl in your image.
PS. You may want to reduce your PACKAGES variable by removing packages which are included on your platform by default, I believe the list is available if you run make info inside the IB directory. Like dropbox, dnsmasq, procd, uci and uclient-fetch most likely can be removed.
PPS. You may also be able to remove luci if luci-ssl-openssl has proper dependencies.
opkg does not do smart dependency resolution, you will have to unravel the dependency conflicts for it - meaning you have to clear the conflicts (the whole dependency chain, in order) first, before you can include the otherwise conflicting packages.
Like hnyman already said, that doesn't seem to be the case - it worked for me once i put -libustream-mbedtls at the end of the PACKAGES argument (without that, i would of course get a build error that mbedtls and openssl conflict). Just to be save, i've now put it at the beginning and slimmed down the list to the non-defaults, but at least there wasn't an immediately obvious difference of putting the exclusion at the beginning or the end.
