CI: NetBSD: build a fresh OpenSSL from source, we need >= 3.2

2026-05-22 18:16:02 -04:00 · 2026-05-11 23:20:23 +02:00 · 2026-05-11 23:20:23 +02:00 · 252cf06eb9
commit 252cf06eb9
parent de2c4eaf55
2 changed files with 33 additions and 0 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -412,6 +412,30 @@ jobs:
                touch ${TMPDIR}/testfile
                lsextattr user ${TMPDIR}/testfile && echo "[xattr] *** xattrs SUPPORTED on ${TMPDIR}! ***"

+                # NetBSD 10 has a too old OpenSSL, build a fresher one.
+                VERSION="3.5.6"
+                echo "--- Building OpenSSL ${VERSION} ---"
+                PREFIX="/usr/local"
+                JOBS=$(sysctl -n hw.ncpu)
+
+                pushd /tmp
+                ftp -o "openssl-${VERSION}.tar.gz" "https://www.openssl.org/source/openssl-${VERSION}.tar.gz"
+                tar xzf "openssl-${VERSION}.tar.gz"
+                pushd "openssl-${VERSION}"
+
+                ./Configure --prefix="${PREFIX}" --openssldir="${PREFIX}/etc/ssl" --libdir=lib \
+                            -Wl,-rpath,${PREFIX}/lib shared threads no-tests no-docs
+                export LD_LIBRARY_PATH="/usr/local/lib${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}"
+                make -j"${JOBS}"
+                sudo -E make install
+                popd
+                rm -rf "/tmp/openssl-${VERSION}" "/tmp/openssl-${VERSION}.tar.gz"
+                popd
+
+                "${PREFIX}/bin/openssl" version
+                export BORG_OPENSSL_PREFIX="${PREFIX}"
+                export PKG_CONFIG_PATH="/usr/local/lib/pkgconfig${PKG_CONFIG_PATH:+:$PKG_CONFIG_PATH}"
+
                tox3 -e py311-none
                ;;

--- a/setup.py
+++ b/setup.py
@ -29,6 +29,7 @@ sys.path += [os.path.dirname(__file__)]

 is_win32 = sys.platform.startswith("win32")
 is_openbsd = sys.platform.startswith("openbsd")
+is_netbsd = sys.platform.startswith("netbsd")

 # Number of threads to use for cythonize, not used on Windows
 cpu_threads = multiprocessing.cpu_count() if multiprocessing and multiprocessing.get_start_method() != "spawn" else None
@ -150,6 +151,14 @@ if not on_rtd:
            include_dirs=[os.path.join(openssl_prefix, "include", openssl_name)],
            extra_objects=[os.path.join(openssl_prefix, "lib", openssl_name, "libcrypto.a")],
        )
+    elif is_netbsd and os.environ.get("BORG_OPENSSL_PREFIX"):
+        # Similarly for NetBSD, if we built a custom OpenSSL, link it statically
+        # to avoid dynamic linker conflicts with the system OpenSSL loaded by Python.
+        openssl_prefix = os.environ.get("BORG_OPENSSL_PREFIX")
+        crypto_ext_lib = dict(
+            include_dirs=[os.path.join(openssl_prefix, "include")],
+            extra_objects=[os.path.join(openssl_prefix, "lib", "libcrypto.a")],
+        )
    else:
        crypto_ext_lib = lib_ext_kwargs(pc, "BORG_OPENSSL_PREFIX", "crypto", "libcrypto", ">=3.2.0")