# "Makefile broken" trying to use portupgrade



## phantomflash (May 6, 2014)

I'm trying to update a FreeBSD server to fix the Heartbleed bug. I only deal with updating this server on an occasional basis; every few months or so. I've used portsnap and portupgrade in the past to install updates (I've read they are the preferred method). The process never seems to be without some problem or other, but this time I've been stumped. I haven't found any obvious clues on the Web. What should I try next, to update my system? (I also have to update Apache and some other things, but I tried openssl first. I get fairly similar errors when trying to update, for example, ruby.)

After I use portsnap to fetch & update the ports, here's what happens next (leaving out the -R makes no difference):

`myserver# portupgrade -R openssl`


```
Unknown modifier 't'

Unknown modifier 't'

"/usr/ports/Mk/bsd.port.mk", line 1775: Malformed conditional (defined(USE_LDCONFIG) && ${USE_LDCONFIG:tl} == "yes")
Unknown modifier 't'

Unknown modifier 't'

"/usr/ports/Mk/bsd.sites.mk", line 957: Malformed conditional (!empty(_PERL_CPAN_ID) && ${_PERL_CPAN_FLAG:tl} == "cpan")
Unknown modifier 't'

"/usr/ports/Mk/bsd.port.mk", line 2929: Unclosed conditional/for loop
"/usr/ports/Mk/bsd.port.mk", line 2929: Unexpected end of file in for loop.

"/usr/ports/Mk/bsd.port.mk", line 6706: Unclosed conditional/for loop
"/usr/ports/Mk/bsd.port.mk", line 6706: Unexpected end of file in for loop.

make: fatal errors encountered -- cannot continue
** Makefile possibly broken: security/openssl:
/usr/local/sbin/portupgrade:1481:in `get_pkgname': Makefile broken (MakefileBrokenError)
        from /usr/local/sbin/portupgrade:616:in `main'
        from /usr/local/sbin/portupgrade:607:in `each'
        from /usr/local/sbin/portupgrade:607:in `main'
        from /usr/local/sbin/portupgrade:581:in `catch'
        from /usr/local/sbin/portupgrade:581:in `main'
        from /usr/local/lib/ruby/1.8/optparse.rb:1310:in `call'
        from /usr/local/lib/ruby/1.8/optparse.rb:1310:in `parse_in_order'
        from /usr/local/lib/ruby/1.8/optparse.rb:1306:in `catch'
        from /usr/local/lib/ruby/1.8/optparse.rb:1306:in `parse_in_order'
        from /usr/local/lib/ruby/1.8/optparse.rb:1254:in `catch'
        from /usr/local/lib/ruby/1.8/optparse.rb:1254:in `parse_in_order'
        from /usr/local/lib/ruby/1.8/optparse.rb:1248:in `order!'
        from /usr/local/lib/ruby/1.8/optparse.rb:1241:in `order'
        from /usr/local/sbin/portupgrade:558:in `main'
        from /usr/local/lib/ruby/1.8/optparse.rb:791:in `initialize'
        from /usr/local/sbin/portupgrade:230:in `new'
        from /usr/local/sbin/portupgrade:230:in `main'
        from /usr/local/sbin/portupgrade:2234
myserver#
```


----------



## jrodrigu (May 6, 2014)

Hi,

I'm getting the same error message today, a message that is generated attempting to make anything.

In addition, when I run `pkg version -v` every port shows orphaned.

I am not sure where to begin on this, I have tried to update the ports tree to no avail.

Joel

OK, I think the problem runs a bit deeper, do I need to establish a separate post?


```
tahoestores# uname -a
FreeBSD tahoestores.net 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan  3 07:46:30 UTC 2012     root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  amd64
tahoestores#
```


```
tahoestores# pkg version -v
3dm-2.11.00.019,1                  ?   orphaned: sysutils/3dm
GeoIP-1.4.8_3                      ?   orphaned: net/GeoIP
ImageMagick-6.8.0.7_8,1            ?   orphaned: graphics/ImageMagick
ORBit2-2.14.19                     ?   orphaned: devel/ORBit2
Xaw3d-1.5E_6                       ?   orphaned: x11-toolkits/Xaw3d
apache22-2.2.27_2                  ?   orphaned: www/apache22
apr-1.5.1.1.5.3                    ?   orphaned: devel/apr1
arc-5.21p                          ?   orphaned: archivers/arc
arj-3.10.22_4                      ?   orphaned: archivers/arj
aspell-0.60.6.1_4                  ?   orphaned: textproc/aspell
aspell-ispell-0.60.6.1             ?   orphaned: textproc/aspell-ispell
atk-2.8.0                          ?   orphaned: accessibility/atk
autoconf-2.69                      ?   orphaned: devel/autoconf
autoconf-wrapper-20131203          ?   orphaned: devel/autoconf-wrapper
autoconf213-2.13.000227_6          ?   orphaned: devel/autoconf213
automake-1.14                      ?   orphaned: devel/automake
automake-wrapper-20131203          ?   orphaned: devel/automake-wrapper
autorespond-2.0.5                  ?   orphaned: mail/autorespond
bash-4.3.11_2                      ?   orphaned: shells/bash
...
```


```
tahoestores# whereis zip
zip: /usr/local/bin/zip /usr/local/man/man1/zip.1.gz /usr/ports/archivers/zip
tahoestores# cd /usr/ports/archivers/zip
tahoestores# pwd
/usr/ports/archivers/zip
tahoestores# make
Unknown modifier 't'

Unknown modifier 't'

Unknown modifier 't'

Unknown modifier 't'

Unknown modifier 't'

"/usr/ports/Mk/bsd.sites.mk", line 957: Malformed conditional (!empty(_PERL_CPAN_ID) && ${_PERL_CPAN_FLAG:tl} == "cpan")
Unknown modifier 't'

Unknown modifier 't'

"/usr/ports/Mk/bsd.port.mk", line 2929: Unclosed conditional/for loop
"/usr/ports/Mk/bsd.port.mk", line 2929: Unexpected end of file in for loop.

"/usr/ports/Mk/bsd.port.mk", line 6706: Unclosed conditional/for loop
"/usr/ports/Mk/bsd.port.mk", line 6706: Unexpected end of file in for loop.

1 open conditional:
         at line 1179 (evaluated to true)
make: fatal errors encountered -- cannot continue
tahoestores#
```


----------



## trh411 (May 6, 2014)

phantomflash said:
			
		

> I'm trying to update a FreeBSD server to fix the Heartbleed bug.


What version of FreeBSD? Please show the output of `uname -a`.

Why are you trying to upgrade security/openssl? The openssl you need to patch is built into FreeBSD. Did you read the OpenSSL use-after-free Vulnerability Security Advisory?

Patching the system using freebsd-update(8) is the normal way to fix the Heartbleed bug if you use binary updates. Or you can download the latest source and build/install a new world/kernel if you build from source.


----------



## jrodrigu (May 6, 2014)

While you are correct pointing out the folly of incorrectly building ports, even if an attempt was made to build OpenSSL correctly, it would fail with the same error message. Please see my update to my comment.

This is a show stopping serious issue, and I would expect that you would want to get to the bottom of this quickly.

Joel


----------



## kpa (May 6, 2014)

You're on an unsupported release and this is quite expected, the ports tree doesn't support old releases anymore. Upgrade ASAP, seriously.


----------



## phantomflash (May 6, 2014)

trh411 said:
			
		

> phantomflash said:
> 
> 
> 
> ...




```
uname -a
FreeBSD secure.stenocall.com 8.2-RELEASE-p3 FreeBSD 8.2-RELEASE-p3 #0: Tue Sep 27 18:45:57 UTC 2011     root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64
```



> Why are you trying to upgrade security/openssl? The openssl you need to patch is built into FreeBSD.


You mean why am I updating it in this manner? I've always updated it this way -- 2 or 3 times in the past. OK I suppose it's "built in" but that doesn't change the fact that it needs to be updated.



> Did you read the OpenSSL use-after-free Vulnerability Security Advisory?


I have read various advisories about this problem, but not that one (not sure how I would have found it). My system's nightly security check Emailed me this advisory link: http://portaudit.freebsd.org/5631ae98-b ... 43978.html . It in turn has another BSD link, ftp://ftp.freebsd.org/pub/FreeBSD/CERT/ ... penssl.asc , but that URL gets an error.



> Patching the system using freebsd-update(8) is the normal way to fix the Heartbleed bug if you use binary updates.


A couple of years ago when I had to start updating this system, I went searching for the proper way to do it, and found http://www.freebsd.org/doc/handbook/ports-using.html and http://www.freebsddiary.org/portupgrade.php which convinced me portupgrade was the way to go. I don't recall seeing freebsd-update mentioned in any of the several articles I read, although my memory could be a little fuzzy by now.

So if freebsd-update is supposed to be the way to update, are you saying it won't get a broken makefile? That it somehow gets a different makefile from the other method? Remember that's the real problem here.

And will there be any ill effects if I just switch over and use it now, considering the other method has already been used in the past?

And by the way, are you saying there's some sort of distinction between different kinds of software on BSD? If so, how is one supposed to know which is which? And if there's a "built-in" way, as you call it, to update openssl or anything else, why would there also be a port of it?


----------



## trh411 (May 6, 2014)

jrodrigu said:
			
		

> While you are correct pointing out the folly of incorrectly building ports, even if an attempt was made to build openssl correctly, it would fail with the same error message. Please see my update to my comment. This is a show stopping serious issue, and I would expect that you would want to get to the bottom of this quickly.


My reply was to the original poster, @phantomflash, not to you, @rodrigu. I suspect by now you have noted @kpa's post which suggested you upgrade to a supported version of FreeBSD ASAP. FreeBSD-9.0-RELEASE has been end-of-life since 1/31/2013. See Unsupported FreeBSD Releases.


----------



## trh411 (May 6, 2014)

phantomflash said:
			
		

> FreeBSD secure.stenocall.com 8.2-RELEASE-p3 FreeBSD 8.2-RELEASE-p3 #0: Tue Sep 27 18:45:57 UTC 2011     root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64[/code]


FreeBSD-8.2-RELEASE has been end-of life since 7/21/2012. See Unsupported FreeBSD Releases. Upgrade to a supported version ASAP.


----------



## jrodrigu (May 6, 2014)

kpa said:
			
		

> You're on an unsupported release and this is quite expected, the ports tree doesn't support old releases anymore. Upgrade ASAP, seriously.



Seriously? LOL. It would be nice if you folks would be a little bit more proactive. I've been building stuff on this unsupported release for well over a year and not once was I advised that support was ending.

This practice of forcing people to migrate by shutting down updates is a very nasty one. I do hope the upgrade path is well tested and that undertaking this task will not shut down my production server for any length of time.

Had this shutdown occurred a week or two earlier I would have faced a production MX server that would be out of commission. Honestly, you folks need to consider us more casual users a bit more. Hell, I knew Microsoft was shutting down support of XP for months before it happened and I was not even looking for this info. It is a sad day when Microsoft beats out the open source community in terms of user support.

But, silly me. I should have known this was going to happen since it has been a regular feature of FreeBSD.

Thanks for the comment.


----------



## trh411 (May 7, 2014)

jrodrigu said:
			
		

> Seriously? LOL. It would be nice if you folks would be a little bit more proactive. I've been building stuff on this unsupported release for well over a year and not once was I advised that support was ending. This practice of forcing people to migrate by shutting down updates is a very nasty one. I do hope the upgrade path is well tested and that undertaking this task will not shut down my production server for any length of time. Had this shutdown occurred a week or two earlier I would have faced a production MX server that would be out of commission. Honestly, you folks need to consider us more casual users a bit more. Hell, I knew Microsoft was shutting down support of XP for months before it happened and I was not even looking for this info. It is a sad day when Microsoft beats out the open source community in terms of user support. But, silly me. I should have known this was going to happen since it has been a regular feature of FreeBSD.


FreeBSD Security Information provides information on the upcoming EOL of all currently supported versions. It's what we all use as our guide. Going forward, you should too.

Your sarcasm aside, if you maintain a production server, I don't see how you can rightfully classify yourself a casual user. It seems an inherent contradiction to me.


----------



## wblock@ (May 7, 2014)

There is no "you folks".  We are users of FreeBSD, the same as you.  This page shows release support status.  This page shows releases which are no longer supported..

If you would like something more automated, it can be arranged.  Maybe for free, maybe not.


----------



## einhirn (May 7, 2014)

Just for info - I ran into the same problem - for some reason /usr/bin/make was still the one for 8.3 instead of 8.4 after `freebsd-update -r 8.4-release upgrade` (and install and reboot and install). I just fetched /usr/bin/make from a machine that was upgraded more successfully and the problem was gone.

BTW: I used `file` to see that make was compiled for FreeBSD 8.3 instead of 8.4.


----------



## DutchDaemon (May 7, 2014)

wblock@ said:
			
		

> There is no "you folks".  We are users of FreeBSD, the same as you.  This page shows release support status.  This page shows releases which are no longer supported..
> 
> If you would like something more automated, it can be arranged.  Maybe for free, maybe not.



There's are always the freebsd-announce and freebsd-security mailing lists.


----------



## phantomflash (May 7, 2014)

trh411 said:
			
		

> phantomflash said:
> 
> 
> 
> ...



Obviously I am not familiar with normal FreeBSD procedures concerning new versions and patches/ports/updates/whatever. Your answer appears to cover (or supersede) my first couple of questions, but that leaves the others that didn't get answered, so I'll repeat them briefly:

1. Any ill effects from switching to freebsd-update now, considering I've used portupgrade in the past?

2. A distinction between different kinds of software on BSD? If so, how is one supposed to know which is which?

3. If there's a "built-in" way, as you call it, to update openssl or anything else, why would there also be a port of it?

And to them I will add:

3. I looked at your link for the man page for freebsd-update and it's not clear how to specify openssl or apache (or whatever) for updates. Or is this command solely an all-at-once updater where you can't specify single programs/packages?

4. The man page seems to indicate freebsd-update can be used for updating to a whole new O/S version. Another poster also seems to have mentioned such a capability. Am I understanding correctly that this can be used, by itself, to reach a supported version? Reliably?

5. If #4 is the case, and I reach the current supported version, does that mean I will automatically get the very newest patched apache and openssl along with it? These two are all I'm really interested in; someone else built this server and (I thought) updated the O/S; I'm just the one that understands and configures Apache so they told me to update it and the SSL.

I will appreciate enlightenment. Thanks.


----------



## trh411 (May 7, 2014)

phantomflash said:
			
		

> 1. Any ill effects from switching to freebsd-update now, considering I've used portupgrade in the past?


We're talking about two different things here. freebsd-update(8) is used to apply binary updates to FreeBSD. portupgrade(1) is used to upgrade ports. Ports are not part of the base FreeBSD. Ports are installed and managed separately from FreeBSD.


			
				phantomflash said:
			
		

> 2. A distinction between different kinds of software on BSD? If so, how is one supposed to know which is which?


I do not know what you mean by different kinds of software.


			
				phantomflash said:
			
		

> 3. I looked at your link for the man page for freebsd-update and it's not clear how to specify openssl or apache (or whatever) for updates. Or is this command solely an all-at-once updater where you can't specify single programs/packages?


Again, freebsd-update(8) is used to apply binary updates to FreeBSD. security/openssl and www/apache are ports and are not part of the base FreeBSD. freebsd-update(8) cannot be used to upgrade ports. That is what tools like portmaster(1) and portupgrade(1) are for. 


			
				phantomflash said:
			
		

> 4. The man page seems to indicate freebsd-update can be used for updating to a whole new O/S version. Another poster also seems to have mentioned such a capability. Am I understanding correctly that this can be used, by itself, to reach a supported version? Reliably?


That is precisely what freebsd-update(8) is for, with one important caveat. freebsd-update(8) can only be used for RELEASE versions of FreeBSD. It can be used to apply binary patches to an existing FreeBSD RELEASE (like for Heartbleed), to perform a minor upgrade of FreeBSD from one release to another, for example FreeBSD-9.1-RELEASE to FreeBSD-9.2-RELEASE and to perform a major upgrade of FreeBSD, for example FreeBSD-9.2-RELEASE to FreeBSD-10.0-RELEASE. It cannot be used to upgrade a STABLE version of FreeBSD, which needs to be built from source.


			
				phantomflash said:
			
		

> 5. If #4 is the case, and I reach the current supported version, does that mean I will automatically get the very newest patched apache and openssl along with it?


No, for reasons stated above. Ports like www/apache are installed and managed separately from FreeBSD.


----------



## phantomflash (May 8, 2014)

trh411 said:
			
		

> phantomflash said:
> 
> 
> 
> ...


Yes, you've already said that -- but my question still stands (unanswered).



			
				trh411 said:
			
		

> phantomflash said:
> 
> 
> 
> ...


It was clear in the context of my reply to your first post. You seemed to be saying there was a distinction between the base O/S software that was updated by freebsd-update, vs. ports updated by portupgrade. I asked, well, how do you know which is which?



			
				trh411 said:
			
		

> phantomflash said:
> 
> 
> 
> ...


Again you repeat the same thing, but you don't quite reach the answer to this specific question. To rephrase, is freebsd-update selective or non-selective in the things it updates?



			
				trh411 said:
			
		

> freebsd-update(8) can only be used for RELEASE versions of FreeBSD ... [not STABLE].


Curious, but thanks for that information. When I looked at the Web pages listing different versions, I guess I got the impression that everything except the latest "beta" stuff was "stable."



			
				trh411 said:
			
		

> security/openssl and www/apache are ports and are not part of the base FreeBSD.  freebsd-update(8) cannot be used to upgrade ports.
> Ports like www/apache are installed and managed separately from FreeBSD.


Here you say freebsd-update cannot be used to update apache and openssl. Now this is where it gets really confusing, because you said the exact opposite in your first post:


			
				trh411 said:
			
		

> Why are you trying to upgrade security/openssl? The openssl you need to patch is built into FreeBSD.
> Patching the system using freebsd-update(8) is the normal way to fix the Heartbleed bug if you use binary updates.


where you explicitly told me to use freebsd-update to update these things. So which is it?


----------



## kpa (May 8, 2014)

It's a bit of both. The base system (that is all and everything except /usr/local/*) includes a version of the OpenSSL software and in most cases it is the one that is used by any software (base system or ports) that needs OpenSSL, this version of the OpenSSL is updated with freebsd-update(8) or the so called source based update/upgrade:

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/updating-upgrading.html

Note that there are no packages for the base system, none of the ports/packages utitilies can be used to update any parts of the base system.

Then there is the port version of OpenSSL, security/openssl that is either required by some other ports (I can not think of any though at the moment) or you tell the ports(7) system to use the port version of OpenSSL instead of the base system version when compiling ports from source. This is done with a make.conf(5) variable WITH_OPENSSL_PORT set to yes. This port version is updated by compiling a new version of the port or installing a ready-made binary package that replaces the old version.


----------



## dave (May 11, 2014)

trh411 said:
			
		

> FreeBSD-9.0-RELEASE has been end-of-life since 1/31/2013.




```
$ uname -a
FreeBSD sled.turneris.com 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Thu Jan  5 22:56:03 UTC 2012
```

I find it a little ridiculous that FreeBSD 9.0-RELEASE was only "supported" for a little over a year.

I have spent so much time and energy over the years "grokking" FreeBSD.  It seems a shame to have to switch distros, but I am actually considering it.  FreeBSD has become so update-happy in recent years that it's like tracking a dev branch all the time.  Never used to be like that.  At least the updates never used to break stuff that was only a couple years old.


----------



## kpa (May 11, 2014)

All X.0 releases are just glorified beta versions because they are almost straight copies from the head branch without much extra development or testing, that's why none of them are going get extended support status. The next release is then given the extended support status because there's a long period of development between X.0 and X.1 where the problems identified in X.0 can be fixed and it's more likely that the X.1 release can be supported longer without too many problems.

As an example 10.0 will not get extended support status. This means that support for it will end January 31, 2015 as noted on the supported releases pages. I'm personally aiming at using 10.1 when it gets released because I know that it will supported at least 2 years after its release, maybe even longer.


----------



## dave (May 11, 2014)

kpa said:
			
		

> All X.0 releases are just glorified beta versions because they are almost straight copies from the head branch without much extra development or testing, that's why none of them are going get extended support status. The next release is then given the extended support status because there's a long period of development between X.0 and X.1 where the problems identified in X.0 can be fixed and it's more likely that the X.1 release can be supported longer without too many problems.
> 
> As an example 10.0 will not get extended support status. This means that support for it will end January 31, 2015 as noted on the supported releases pages. I'm personally aiming at using 10.1 when it gets released because I know that it will supported at least 2 years after its release, maybe even longer.



I didn't know that - thanks.


----------



## phantomflash (May 12, 2014)

kpa said:
			
		

> It's a bit of both. The base system (that is all and everything except /usr/local/*) includes a version of the OpenSSL software and in most cases it is the one that is used by any software (base system or ports) that needs OpenSSL, this version of the OpenSSL is updated with freebsd-update(8) or the so called source based update/upgrade:
> 
> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/updating-upgrading.html
> 
> ...



Wow -- kpa, in your short post you managed to answer several of my questions succinctly. I appreciate it, and it really brought things into more focus for me. I don't know why my original search had failed to bring up the _Handbook_ URL you gave, but it helped a lot. I decided to start kind of slow, using freebsd-update to update from 8.2-RELEASE to 8.4-RELEASE, reasoning that jumping to the 9 or 10 branch might introduce more surprises, which I don't really have time to deal with right now. Using the _Handbook_ and http://www.freebsd.org/releases/8.4R/installation.html, the update proceeded without incident -- just a few minor edits to files like /etc/passwd which it prompted.

By that time I had also checked back with my earlier post from last year, and your reply, (https://forums.freebsd.org/viewtopic.php?f=5&t=40331) which I had forgotten about (because I got interrupted before finishing documenting it at the time), which stated that  ever since the release of Apache version 2, OpenSSL became part of the Apache web server itself. So following the instructions, during that process I also updated Apache (but not OpenSSL, since supposedly it was included).

At the end, for whatever reason, the Apache headers were still showing the older version of OpenSSL (1.0.1e) whereas I needed version 1.0.1g. Then I used your information about the make.conf file. In the file, which dated from last year, was this:

# This line is so all packages will compile with the latest openssl, according to
# http://mebsd.com/freebsd-security-harde ... eebsd.html
WITH_OPENSSL_PORT=yes

Then I looked at the URL it gave, and found information that was eve more relevant. In part, it says:

"With the base install of FreeBSD you get a copy on OpenSSL installed in /usr/bin/openssl, however it is not a registered package. This makes upgrading OpenSSL a little different, you must first install the OpenSSL port and then tell your make.conf to use the port install when using OpenSSL libraries. Once this is done you can keep OpenSSL up to date just as you would with any other port."

So that's yet another slightly different version of how this all works. I updated security/openssl but the Apache headers still showed it was using the old version. Then I tried to force Apache to re-update, but it wouldn't. I also tried that last page's suggested

# portupgrade -Rrf security/openssl

and that updated devel/apr1 and maybe other things, but still no change in the headers. Finally I thought of *restarting Apache*, and then it showed it was using the latest OpenSSL. I guess restarting it earlier would likely have saved time also, but I'm not sure.

So that's the story. I'm putting it here to help others, and to get those helpful URL pointers out there. Thanks for the assistance!


----------



## phantomflash (May 12, 2014)

Hmm -- I have now realized that since I updated the O/S, I'm no longer getting the nightly Emails with system overview and security information. Where is the button to push to get those started again? I would've thought the system update would preserve them, as it preserved various other configuration options.


----------

