Re: [PR PATCH] [Updated] New package: mysql8-8.0.21

[rien <rien@users.noreply.github.com>]

[-- Attachment #1: Type: text/plain, Size: 2046 bytes --]

There is an updated pull request by rien against master on the void-packages repository

https://github.com/rien/void-packages new/mysql-8
https://github.com/void-linux/void-packages/pull/23617

New package: mysql8-8.0.21
This PR adds the MySQL database version 8.

#### Motivation

The other `mysql` package is still version 5.6, but the reason I created a new package is because the upgrade would break most databases since MySQL only has backwards compatibility for one major version. Instead of creating a lot of frustration I took the path void has already taken with postgresql (e.g. creating the `postgresql12` package next to `postgresql`).

#### LibreSSL support

MySQL does not support libressl by default, but I've used some patches from [gentoo](https://dev.gentoo.org/~whissi/dist/mysql/) (with permission of @Whissi). They also maintain a repository with working changes over at https://github.com/Whissi/gentoo-mysql.

#### Cross compiling

I gave up cross compiling this package because I've already spent quite some time getting this compile on x86. Sorry.

During configuration it tries to detect library versions by compiling and running small binaries, but this won't work when cross compiling. I've tried setting `build_helper=qemu` but it dies without error message, just error code 2. At that point i gave up because building this package takes ages.

#### Initialization

I've tried to replicate the behavior of the original `mysql` package as close as possible. The `INSTALL` script initializes the data directory and sets an empty root password. It also echo's a message telling the user they should run `mysql_secure_installation` in order to set a root password and to remove test databases and anonymous users.

The given configuration only allows connections from localhost, so the security risk is at a minimum here. However, if desired I can let the initialization step generate a random root password.

A patch file from https://github.com/void-linux/void-packages/pull/23617.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-new/mysql-8-23617.patch --]
[-- Type: text/x-diff, Size: 27767 bytes --]

From 9363d42f66c8fee649cbd740c1a90aa8a4e85f82 Mon Sep 17 00:00:00 2001
From: Rien Maertens <rien.maertens@posteo.be>
Date: Fri, 17 Jul 2020 16:40:07 +0200
Subject: [PATCH] [ci skip] New package: mysql8-8.0.21

---
 srcpkgs/libmysqlclient8                       |   1 +
 srcpkgs/libmysqlclient8-devel                 |   1 +
 srcpkgs/mysql8-client                         |   1 +
 srcpkgs/mysql8/INSTALL                        |  12 +
 srcpkgs/mysql8/files/my.cnf                   |  37 ++
 srcpkgs/mysql8/files/mysqld/log/run           |   2 +
 srcpkgs/mysql8/files/mysqld/run               |   4 +
 .../patches/0002-cmake-Remove-Werror.patch    |  30 ++
 .../0004-tests-fix-grant_user_lock-test.patch |  92 +++++
 .../patches/0005-Add-LibreSSL-support.patch   | 356 ++++++++++++++++++
 srcpkgs/mysql8/template                       | 117 ++++++
 srcpkgs/mysql8/update                         |   2 +
 12 files changed, 655 insertions(+)
 create mode 120000 srcpkgs/libmysqlclient8
 create mode 120000 srcpkgs/libmysqlclient8-devel
 create mode 120000 srcpkgs/mysql8-client
 create mode 100644 srcpkgs/mysql8/INSTALL
 create mode 100644 srcpkgs/mysql8/files/my.cnf
 create mode 100755 srcpkgs/mysql8/files/mysqld/log/run
 create mode 100755 srcpkgs/mysql8/files/mysqld/run
 create mode 100644 srcpkgs/mysql8/patches/0002-cmake-Remove-Werror.patch
 create mode 100644 srcpkgs/mysql8/patches/0004-tests-fix-grant_user_lock-test.patch
 create mode 100644 srcpkgs/mysql8/patches/0005-Add-LibreSSL-support.patch
 create mode 100644 srcpkgs/mysql8/template
 create mode 100644 srcpkgs/mysql8/update

diff --git a/srcpkgs/libmysqlclient8 b/srcpkgs/libmysqlclient8
new file mode 120000
index 00000000000..9a17e91b694
--- /dev/null
+++ b/srcpkgs/libmysqlclient8
@@ -0,0 +1 @@
+mysql8
\ No newline at end of file
diff --git a/srcpkgs/libmysqlclient8-devel b/srcpkgs/libmysqlclient8-devel
new file mode 120000
index 00000000000..9a17e91b694
--- /dev/null
+++ b/srcpkgs/libmysqlclient8-devel
@@ -0,0 +1 @@
+mysql8
\ No newline at end of file
diff --git a/srcpkgs/mysql8-client b/srcpkgs/mysql8-client
new file mode 120000
index 00000000000..9a17e91b694
--- /dev/null
+++ b/srcpkgs/mysql8-client
@@ -0,0 +1 @@
+mysql8
\ No newline at end of file
diff --git a/srcpkgs/mysql8/INSTALL b/srcpkgs/mysql8/INSTALL
new file mode 100644
index 00000000000..b89ac5cb831
--- /dev/null
+++ b/srcpkgs/mysql8/INSTALL
@@ -0,0 +1,12 @@
+# *-*-shell-*-*
+#
+case ${ACTION} in
+post)
+	install -dm0700 var/lib/mysql
+	bin/mysqld --user=mysql --initialize-insecure --datadir=/var/lib/mysql
+	chown -R mysql:mysql var/lib/mysql
+	echo "Your MySQL password is empty."
+	echo "Please secure your database by running"
+	echo "# mysql_secure_database"
+	;;
+esac
diff --git a/srcpkgs/mysql8/files/my.cnf b/srcpkgs/mysql8/files/my.cnf
new file mode 100644
index 00000000000..e623c9249ab
--- /dev/null
+++ b/srcpkgs/mysql8/files/my.cnf
@@ -0,0 +1,37 @@
+# MySQL configuration file for client and server based on the Gentoo
+# configurations.
+
+# The following options will be passed to all MySQL clients
+[client]
+port				= 3306
+socket				= /run/mysqld/mysqld.sock
+
+# Here follows entries for some specific programs
+
+# The MySQL server
+[mysqld]
+port		= 3306
+bind		= 127.0.0.1
+socket		= /run/mysqld/mysqld.sock
+datadir		= /var/lib/mysql
+skip-external-locking
+
+# Since MySQL 8 the default authentication plugin switched from
+# 'mysql_native_password' to the more secure 'caching_sha2_password'.
+# Uncomment the next line if you experience issues with client libraries.
+#
+#loose-default-authentication-plugin = mysql_native_password
+
+log-bin
+# required unique id between 1 and 2^32 - 1
+# defaults to 1 if master-host is not set
+# but will not function as a master if omitted
+server-id	= 1
+
+[mysqldump]
+quick
+max_allowed_packet = 16M
+
+[mysql]
+# Remove the next comment character if you are not familiar with SQL
+#safe-updates
diff --git a/srcpkgs/mysql8/files/mysqld/log/run b/srcpkgs/mysql8/files/mysqld/log/run
new file mode 100755
index 00000000000..b36c4dafa40
--- /dev/null
+++ b/srcpkgs/mysql8/files/mysqld/log/run
@@ -0,0 +1,2 @@
+#!/bin/sh
+exec logger -p daemon.notice
diff --git a/srcpkgs/mysql8/files/mysqld/run b/srcpkgs/mysql8/files/mysqld/run
new file mode 100755
index 00000000000..bc16a07883e
--- /dev/null
+++ b/srcpkgs/mysql8/files/mysqld/run
@@ -0,0 +1,4 @@
+#!/bin/sh
+[ ! -d /run/mysqld ] && mkdir -p /run/mysqld
+chown mysql:mysql /run/mysqld
+exec chpst -u mysql:mysql mysqld --user=mysql 2>&1
diff --git a/srcpkgs/mysql8/patches/0002-cmake-Remove-Werror.patch b/srcpkgs/mysql8/patches/0002-cmake-Remove-Werror.patch
new file mode 100644
index 00000000000..4a52bebef2f
--- /dev/null
+++ b/srcpkgs/mysql8/patches/0002-cmake-Remove-Werror.patch
@@ -0,0 +1,30 @@
+From 1c066f5ea010994c790113bf6cf4a520227a9e06 Mon Sep 17 00:00:00 2001
+From: Thomas Deutschmann <whissi@gentoo.org>
+Date: Thu, 30 Apr 2020 19:59:26 +0200
+Subject: [PATCH 2/5] cmake: Remove -Werror
+
+Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
+---
+ cmake/maintainer.cmake | 6 ------
+ 1 file changed, 6 deletions(-)
+
+diff --git cmake/maintainer.cmake cmake/maintainer.cmake
+index 6aa3ac866..b2f63bdaa 100644
+--- cmake/maintainer.cmake
++++ cmake/maintainer.cmake
+@@ -157,12 +157,6 @@ IF(MY_COMPILER_IS_CLANG)
+   # -Wzero-as-null-pointer-constant
+ ENDIF()
+ 
+-# Turn on Werror (warning => error) when using maintainer mode.
+-IF(MYSQL_MAINTAINER_MODE)
+-  STRING_APPEND(MY_C_WARNING_FLAGS   " -Werror")
+-  STRING_APPEND(MY_CXX_WARNING_FLAGS " -Werror")
+-ENDIF()
+-
+ # Set warning flags for gcc/g++/clang/clang++
+ IF(MY_COMPILER_IS_GNU_OR_CLANG)
+   STRING_APPEND(CMAKE_C_FLAGS   " ${MY_C_WARNING_FLAGS}")
+-- 
+2.27.0
+
diff --git a/srcpkgs/mysql8/patches/0004-tests-fix-grant_user_lock-test.patch b/srcpkgs/mysql8/patches/0004-tests-fix-grant_user_lock-test.patch
new file mode 100644
index 00000000000..3bd1bc5a402
--- /dev/null
+++ b/srcpkgs/mysql8/patches/0004-tests-fix-grant_user_lock-test.patch
@@ -0,0 +1,92 @@
+From 38427b53ffc34f465534bcb1cbc56fc8f2c07d8d Mon Sep 17 00:00:00 2001
+From: Thomas Deutschmann <whissi@gentoo.org>
+Date: Thu, 30 Apr 2020 20:01:20 +0200
+Subject: [PATCH 4/5] tests: fix grant_user_lock test
+
+Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
+---
+ mysql-test/r/grant_user_lock.result |  4 ++--
+ mysql-test/t/grant_user_lock.test   | 12 ++++++------
+ 2 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git mysql-test/r/grant_user_lock.result mysql-test/r/grant_user_lock.result
+index 54aaddfb8..9c95380f1 100644
+--- mysql-test/r/grant_user_lock.result
++++ mysql-test/r/grant_user_lock.result
+@@ -98,13 +98,13 @@ CURRENT_USER()
+ DROP USER ''@localhost;
+ # Create anonymous user - LOCK
+ CREATE USER ''@localhost IDENTIFIED BY 'pass' ACCOUNT LOCK;
+-connect(localhost,,pass,test,MASTER_PORT,MASTER_SOCKET);
++connect(localhost, ,pass,test,MASTER_PORT,MASTER_SOCKET);
+ ERROR HY000: Access denied for user '(null)'@'localhost'. Account is locked.
+ DROP USER ''@localhost;
+ # Disabling anonymous user
+ CREATE USER ''@localhost IDENTIFIED BY 'pass';
+ ALTER USER ''@localhost ACCOUNT LOCK;
+-connect(localhost,,pass,test,MASTER_PORT,MASTER_SOCKET);
++connect(localhost, ,pass,test,MASTER_PORT,MASTER_SOCKET);
+ ERROR HY000: Access denied for user '(null)'@'localhost'. Account is locked.
+ DROP USER ''@localhost;
+ # Enabling anonymous user
+diff --git mysql-test/t/grant_user_lock.test mysql-test/t/grant_user_lock.test
+index c867bd53d..03f877def 100644
+--- mysql-test/t/grant_user_lock.test
++++ mysql-test/t/grant_user_lock.test
+@@ -112,7 +112,7 @@ DROP USER unlocked_user2@localhost;
+ --echo # Create anonymous user
+ connection default;
+ CREATE USER ''@localhost IDENTIFIED BY 'pass';
+-connect(anonymous_user_con, localhost, '', pass);
++connect(anonymous_user_con, localhost, ' ', pass);
+ SELECT CURRENT_USER();
+ disconnect anonymous_user_con;
+ connection default;
+@@ -121,7 +121,7 @@ DROP USER ''@localhost;
+ --echo # Create anonymous user - explicit UNLOCK
+ connection default;
+ CREATE USER ''@localhost IDENTIFIED BY 'pass' ACCOUNT UNLOCK;
+-connect(anonymous_user_con, localhost, '', pass);
++connect(anonymous_user_con, localhost, ' ', pass);
+ SELECT CURRENT_USER();
+ disconnect anonymous_user_con;
+ connection default;
+@@ -132,7 +132,7 @@ connection default;
+ CREATE USER ''@localhost IDENTIFIED BY 'pass' ACCOUNT LOCK;
+ --replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
+ --error ER_ACCOUNT_HAS_BEEN_LOCKED
+-connect(anonymous_user_con, localhost, '', pass);
++connect(anonymous_user_con, localhost, ' ', pass);
+ connection default;
+ DROP USER ''@localhost;
+ 
+@@ -142,7 +142,7 @@ CREATE USER ''@localhost IDENTIFIED BY 'pass';
+ ALTER USER ''@localhost ACCOUNT LOCK;
+ --replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
+ --error ER_ACCOUNT_HAS_BEEN_LOCKED
+-connect(anonymous_user_con, localhost, '', pass);
++connect(anonymous_user_con, localhost, ' ', pass);
+ connection default;
+ DROP USER ''@localhost;
+ 
+@@ -150,7 +150,7 @@ DROP USER ''@localhost;
+ connection default;
+ CREATE USER ''@localhost IDENTIFIED BY 'pass' ACCOUNT LOCK;
+ ALTER USER ''@localhost ACCOUNT UNLOCK;
+-connect(anonymous_user_con, localhost, '', pass);
++connect(anonymous_user_con, localhost, ' ', pass);
+ SELECT CURRENT_USER();
+ disconnect anonymous_user_con;
+ connection default;
+@@ -170,7 +170,7 @@ connection default;
+ CREATE user ''@localhost IDENTIFIED BY 'pass';
+ CREATE USER 'unlocked_user'@localhost IDENTIFIED BY 'pass';
+ 
+-connect(anonymous_user_con, localhost, '', pass);
++connect(anonymous_user_con, localhost, ' ', pass);
+ --error ER_TABLEACCESS_DENIED_ERROR
+ UPDATE mysql.user SET account_locked='Y'
+   WHERE user='unlocked_user' and host = 'localhost';
+-- 
+2.27.0
+
diff --git a/srcpkgs/mysql8/patches/0005-Add-LibreSSL-support.patch b/srcpkgs/mysql8/patches/0005-Add-LibreSSL-support.patch
new file mode 100644
index 00000000000..e2a9440323d
--- /dev/null
+++ b/srcpkgs/mysql8/patches/0005-Add-LibreSSL-support.patch
@@ -0,0 +1,356 @@
+From 4aadff7b08f6a69160a44c1742d5a12fb5abc059 Mon Sep 17 00:00:00 2001
+From: Thomas Deutschmann <whissi@gentoo.org>
+Date: Thu, 30 Apr 2020 20:01:48 +0200
+Subject: [PATCH 5/5] Add LibreSSL support
+
+Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
+---
+ cmake/ssl.cmake                               |  5 +++--
+ mysys/my_md5.cc                               |  2 ++
+ .../bindings/xcom/xcom/xcom_ssl_transport.cc  |  6 +++++-
+ plugin/x/client/xconnection_impl.cc           |  4 ++++
+ router/src/http/src/tls_client_context.cc     |  2 +-
+ router/src/http/src/tls_context.cc            |  9 ++++++--
+ router/src/http/src/tls_server_context.cc     |  3 ++-
+ sql-common/client.cc                          |  2 ++
+ sql/mysqld.cc                                 |  4 +++-
+ sql/sys_vars.cc                               | 21 +++++++++++++++++--
+ vio/viossl.cc                                 |  8 +++----
+ vio/viosslfactories.cc                        |  2 ++
+ 12 files changed, 54 insertions(+), 14 deletions(-)
+
+diff --git cmake/ssl.cmake cmake/ssl.cmake
+index 52feadeaa..3b8332695 100644
+--- cmake/ssl.cmake
++++ cmake/ssl.cmake
+@@ -222,13 +222,14 @@ MACRO (MYSQL_CHECK_SSL)
+         OPENSSL_FIX_VERSION "${OPENSSL_VERSION_NUMBER}"
+         )
+     ENDIF()
+-    IF("${OPENSSL_MAJOR_VERSION}.${OPENSSL_MINOR_VERSION}.${OPENSSL_FIX_VERSION}" VERSION_GREATER "1.1.0")
++    CHECK_SYMBOL_EXISTS(TLS1_3_VERSION "openssl/tls1.h" HAVE_TLS1_3_VERSION)
++    IF(HAVE_TLS1_3_VERSION)
+        ADD_DEFINITIONS(-DHAVE_TLSv13)
+     ENDIF()
+     IF(OPENSSL_INCLUDE_DIR AND
+        OPENSSL_LIBRARY   AND
+        CRYPTO_LIBRARY      AND
+-       OPENSSL_MAJOR_VERSION STREQUAL "1"
++       OPENSSL_MAJOR_VERSION VERSION_GREATER_EQUAL "1"
+       )
+       SET(OPENSSL_FOUND TRUE)
+       FIND_PROGRAM(OPENSSL_EXECUTABLE openssl
+diff --git mysys/my_md5.cc mysys/my_md5.cc
+index dea997b25..531696329 100644
+--- mysys/my_md5.cc
++++ mysys/my_md5.cc
+@@ -56,7 +56,9 @@ static void my_md5_hash(unsigned char *digest, unsigned const char *buf,
+ int compute_md5_hash(char *digest, const char *buf, int len) {
+   int retval = 0;
+   int fips_mode = 0;
++#ifndef LIBRESSL_VERSION_NUMBER
+   fips_mode = FIPS_mode();
++#endif
+   /* If fips mode is ON/STRICT restricted method calls will result into abort,
+    * skipping call. */
+   if (fips_mode == 0) {
+diff --git plugin/group_replication/libmysqlgcs/src/bindings/xcom/xcom/xcom_ssl_transport.cc plugin/group_replication/libmysqlgcs/src/bindings/xcom/xcom/xcom_ssl_transport.cc
+index 8bf63ce14..02f91b44e 100644
+--- plugin/group_replication/libmysqlgcs/src/bindings/xcom/xcom/xcom_ssl_transport.cc
++++ plugin/group_replication/libmysqlgcs/src/bindings/xcom/xcom/xcom_ssl_transport.cc
+@@ -325,6 +325,7 @@ error:
+   return 1;
+ }
+ 
++#ifndef LIBRESSL_VERSION_NUMBER
+ #define OPENSSL_ERROR_LENGTH 512
+ static int configure_ssl_fips_mode(const uint fips_mode) {
+   int rc = -1;
+@@ -348,6 +349,7 @@ static int configure_ssl_fips_mode(const uint fips_mode) {
+ EXIT:
+   return rc;
+ }
++#endif
+ 
+ static int configure_ssl_ca(SSL_CTX *ssl_ctx, const char *ca_file,
+                             const char *ca_path) {
+@@ -544,10 +546,12 @@ int xcom_init_ssl(const char *server_key_file, const char *server_cert_file,
+   int verify_server = SSL_VERIFY_NONE;
+   int verify_client = SSL_VERIFY_NONE;
+ 
++#ifndef LIBRESSL_VERSION_NUMBER
+   if (configure_ssl_fips_mode(ssl_fips_mode) != 1) {
+     G_ERROR("Error setting the ssl fips mode");
+     goto error;
+   }
++#endif
+ 
+   SSL_library_init();
+   SSL_load_error_strings();
+@@ -611,7 +615,7 @@ error:
+ void xcom_cleanup_ssl() {
+   if (!xcom_use_ssl()) return;
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+   ERR_remove_thread_state(0);
+ #endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+ }
+diff --git plugin/x/client/xconnection_impl.cc plugin/x/client/xconnection_impl.cc
+index 13bc6794e..5223169db 100644
+--- plugin/x/client/xconnection_impl.cc
++++ plugin/x/client/xconnection_impl.cc
+@@ -498,6 +498,7 @@ XError Connection_impl::get_ssl_error(const int error_id) {
+   return XError(CR_SSL_CONNECTION_ERROR, buffer);
+ }
+ 
++#ifndef LIBRESSL_VERSION_NUMBER
+ /**
+   Set fips mode in openssl library,
+   When we set fips mode ON/STRICT, it will perform following operations:
+@@ -537,6 +538,7 @@ int set_fips_mode(const uint32_t fips_mode,
+ EXIT:
+   return rc;
+ }
++#endif
+ 
+ XError Connection_impl::activate_tls() {
+   if (nullptr == m_vio) return get_socket_error(SOCKET_ECONNRESET);
+@@ -547,12 +549,14 @@ XError Connection_impl::activate_tls() {
+   if (!m_context->m_ssl_config.is_configured())
+     return XError{CR_SSL_CONNECTION_ERROR, ER_TEXT_TLS_NOT_CONFIGURATED, true};
+ 
++#ifndef LIBRESSL_VERSION_NUMBER
+   char err_string[OPENSSL_ERROR_LENGTH] = {'\0'};
+   if (set_fips_mode(
+           static_cast<uint32_t>(m_context->m_ssl_config.m_ssl_fips_mode),
+           err_string) != 1) {
+     return XError{CR_SSL_CONNECTION_ERROR, err_string, true};
+   }
++#endif
+   auto ssl_ctx_flags = process_tls_version(
+       details::null_when_empty(m_context->m_ssl_config.m_tls_version));
+ 
+diff --git router/src/http/src/tls_client_context.cc router/src/http/src/tls_client_context.cc
+index 297ceee30..7c1157289 100644
+--- router/src/http/src/tls_client_context.cc
++++ router/src/http/src/tls_client_context.cc
+@@ -54,7 +54,7 @@ void TlsClientContext::verify(TlsVerify verify) {
+ 
+ void TlsClientContext::cipher_suites(const std::string &ciphers) {
+ // TLSv1.3 ciphers are controlled via SSL_CTX_set_ciphersuites()
+-#if OPENSSL_VERSION_NUMBER >= ROUTER_OPENSSL_VERSION(1, 1, 1)
++#ifdef TLS1_3_VERSION
+   if (1 != SSL_CTX_set_ciphersuites(ssl_ctx_.get(), ciphers.c_str())) {
+     throw TlsError("set-cipher-suites");
+   }
+diff --git router/src/http/src/tls_context.cc router/src/http/src/tls_context.cc
+index 60ed7e6ca..388ef8f28 100644
+--- router/src/http/src/tls_context.cc
++++ router/src/http/src/tls_context.cc
+@@ -91,7 +91,7 @@ static int o11x_version(TlsVersion version) {
+       return TLS1_1_VERSION;
+     case TlsVersion::TLS_1_2:
+       return TLS1_2_VERSION;
+-#if OPENSSL_VERSION_NUMBER >= ROUTER_OPENSSL_VERSION(1, 1, 1)
++#ifdef TLS1_3_VERSION
+     case TlsVersion::TLS_1_3:
+       return TLS1_3_VERSION;
+ #endif
+@@ -120,9 +120,11 @@ void TlsContext::version_range(TlsVersion min_version, TlsVersion max_version) {
+   switch (min_version) {
+     default:
+       // unknown, leave all disabled
++#ifdef TLS1_3_VERSION
+       // fallthrough
+     case TlsVersion::TLS_1_3:
+       opts |= SSL_OP_NO_TLSv1_2;
++#endif
+       // fallthrough
+     case TlsVersion::TLS_1_2:
+       opts |= SSL_OP_NO_TLSv1_1;
+@@ -170,8 +172,10 @@ TlsVersion TlsContext::min_version() const {
+       return TlsVersion::TLS_1_1;
+     case TLS1_2_VERSION:
+       return TlsVersion::TLS_1_2;
++#ifdef TLS1_3_VERSION
+     case TLS1_3_VERSION:
+       return TlsVersion::TLS_1_3;
++#endif
+     case 0:
+       return TlsVersion::AUTO;
+     default:
+@@ -230,7 +234,8 @@ TlsContext::InfoCallback TlsContext::info_callback() const {
+ }
+ 
+ int TlsContext::security_level() const {
+-#if OPENSSL_VERSION_NUMBER >= ROUTER_OPENSSL_VERSION(1, 1, 0)
++#if OPENSSL_VERSION_NUMBER >= ROUTER_OPENSSL_VERSION(1, 1, 0) && \
++    !defined(LIBRESSL_VERSION_NUMBER)
+   return SSL_CTX_get_security_level(ssl_ctx_.get());
+ #else
+   return 0;
+diff --git router/src/http/src/tls_server_context.cc router/src/http/src/tls_server_context.cc
+index 0f4472419..707d7de86 100644
+--- router/src/http/src/tls_server_context.cc
++++ router/src/http/src/tls_server_context.cc
+@@ -167,7 +167,8 @@ void TlsServerContext::init_tmp_dh(const std::string &dh_params) {
+     }
+ 
+   } else {
+-#if OPENSSL_VERSION_NUMBER >= ROUTER_OPENSSL_VERSION(1, 1, 0)
++#if OPENSSL_VERSION_NUMBER >= ROUTER_OPENSSL_VERSION(1, 1, 0) && \
++    !defined(LIBRESSL_VERSION_NUMBER)
+     dh2048.reset(DH_get_2048_256());
+ #else
+     /*
+diff --git sql-common/client.cc sql-common/client.cc
+index ffb136b5b..8a0c7b834 100644
+--- sql-common/client.cc
++++ sql-common/client.cc
+@@ -7766,6 +7766,7 @@ int STDCALL mysql_options(MYSQL *mysql, enum mysql_option option,
+         return 1;
+       break;
+     case MYSQL_OPT_SSL_FIPS_MODE: {
++#if !defined(LIBRESSL_VERSION_NUMBER)
+       char ssl_err_string[OPENSSL_ERROR_LENGTH] = {'\0'};
+       ENSURE_EXTENSIONS_PRESENT(&mysql->options);
+       mysql->options.extension->ssl_fips_mode = *static_cast<const uint *>(arg);
+@@ -7777,6 +7778,7 @@ int STDCALL mysql_options(MYSQL *mysql, enum mysql_option option,
+             "Set Fips mode ON/STRICT failed, detail: '%s'.", ssl_err_string);
+         return 1;
+       }
++#endif
+     } break;
+     case MYSQL_OPT_SSL_MODE:
+       ENSURE_EXTENSIONS_PRESENT(&mysql->options);
+diff --git sql/mysqld.cc sql/mysqld.cc
+index 682e8d5ae..96a922d7a 100644
+--- sql/mysqld.cc
++++ sql/mysqld.cc
+@@ -5109,7 +5109,7 @@ static int init_thread_environment() {
+ 
+ static PSI_memory_key key_memory_openssl = PSI_NOT_INSTRUMENTED;
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ #define FILE_LINE_ARGS
+ #else
+ #define FILE_LINE_ARGS , const char *, int
+@@ -5143,12 +5143,14 @@ static void init_ssl() {
+ }
+ 
+ static int init_ssl_communication() {
++#ifndef LIBRESSL_VERSION_NUMBER
+   char ssl_err_string[OPENSSL_ERROR_LENGTH] = {'\0'};
+   int ret_fips_mode = set_fips_mode(opt_ssl_fips_mode, ssl_err_string);
+   if (ret_fips_mode != 1) {
+     LogErr(ERROR_LEVEL, ER_SSL_FIPS_MODE_ERROR, ssl_err_string);
+     return 1;
+   }
++#endif
+   if (TLS_channel::singleton_init(&mysql_main, mysql_main_channel, opt_use_ssl,
+                                   &server_main_callback, opt_initialize))
+     return 1;
+diff --git sql/sys_vars.cc sql/sys_vars.cc
+index 5b1a82d2f..4e2dff865 100644
+--- sql/sys_vars.cc
++++ sql/sys_vars.cc
+@@ -4474,6 +4474,7 @@ static Sys_var_ulong Sys_max_execution_time(
+     HINT_UPDATEABLE SESSION_VAR(max_execution_time), CMD_LINE(REQUIRED_ARG),
+     VALID_RANGE(0, ULONG_MAX), DEFAULT(0), BLOCK_SIZE(1));
+ 
++#ifndef LIBRESSL_VERSION_NUMBER
+ static bool update_fips_mode(sys_var *, THD *, enum_var_type) {
+   char ssl_err_string[OPENSSL_ERROR_LENGTH] = {'\0'};
+   if (set_fips_mode(opt_ssl_fips_mode, ssl_err_string) != 1) {
+@@ -4484,15 +4485,31 @@ static bool update_fips_mode(sys_var *, THD *, enum_var_type) {
+     return false;
+   }
+ }
++#endif
++
++#if defined(LIBRESSL_VERSION_NUMBER)
++static const char *ssl_fips_mode_names[] = {"OFF", 0};
++#else
++static const char *ssl_fips_mode_names[] = {"OFF", "ON", "STRICT", 0};
++#endif
+ 
+-static const char *ssl_fips_mode_names[] = {"OFF", "ON", "STRICT", nullptr};
+ static Sys_var_enum Sys_ssl_fips_mode(
+     "ssl_fips_mode",
+     "SSL FIPS mode (applies only for OpenSSL); "
++#ifndef LIBRESSL_VERSION_NUMBER
+     "permitted values are: OFF, ON, STRICT",
++#else
++    "permitted values are: OFF",
++#endif
+     GLOBAL_VAR(opt_ssl_fips_mode), CMD_LINE(REQUIRED_ARG, OPT_SSL_FIPS_MODE),
+     ssl_fips_mode_names, DEFAULT(0), NO_MUTEX_GUARD, NOT_IN_BINLOG,
+-    ON_CHECK(nullptr), ON_UPDATE(update_fips_mode), nullptr);
++    ON_CHECK(NULL),
++#ifndef LIBRESSL_VERSION_NUMBER
++    ON_UPDATE(update_fips_mode),
++#else
++    ON_UPDATE(NULL),
++#endif
++    NULL);
+ 
+ static Sys_var_bool Sys_auto_generate_certs(
+     "auto_generate_certs",
+diff --git vio/viossl.cc vio/viossl.cc
+index 0e9594741..3a589c64b 100644
+--- vio/viossl.cc
++++ vio/viossl.cc
+@@ -45,7 +45,7 @@
+   BIO_set_callback_ex was added in openSSL 1.1.1
+   For older openSSL, use the deprecated BIO_set_callback.
+ */
+-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
++#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
+ #define HAVE_BIO_SET_CALLBACK_EX
+ #endif
+ 
+@@ -634,8 +634,8 @@ static int ssl_do(struct st_VioSSLFd *ptr, Vio *vio, long timeout,
+ 
+ #if !defined(DBUG_OFF)
+     {
+-      STACK_OF(SSL_COMP) *ssl_comp_methods = nullptr;
+-      ssl_comp_methods = SSL_COMP_get_compression_methods();
++      STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
++      ssl_comp_methods = (STACK_OF(SSL_COMP) *)SSL_COMP_get_compression_methods();
+       n = sk_SSL_COMP_num(ssl_comp_methods);
+       DBUG_PRINT("info", ("Available compression methods:\n"));
+       if (n == 0)
+@@ -643,7 +643,7 @@ static int ssl_do(struct st_VioSSLFd *ptr, Vio *vio, long timeout,
+       else
+         for (j = 0; j < n; j++) {
+           SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j);
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+           DBUG_PRINT("info", ("  %d: %s\n", c->id, c->name));
+ #else  /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+           DBUG_PRINT("info",
+diff --git vio/viosslfactories.cc vio/viosslfactories.cc
+index 6c04029cc..f27221463 100644
+--- vio/viosslfactories.cc
++++ vio/viosslfactories.cc
+@@ -473,6 +473,7 @@ void ssl_start() {
+   }
+ }
+ 
++#ifndef LIBRESSL_VERSION_NUMBER
+ /**
+   Set fips mode in openssl library,
+   When we set fips mode ON/STRICT, it will perform following operations:
+@@ -526,6 +527,7 @@ EXIT:
+   @returns openssl current fips mode
+ */
+ uint get_fips_mode() { return FIPS_mode(); }
++#endif
+ 
+ long process_tls_version(const char *tls_version) {
+   const char *separator = ",";
+-- 
+2.27.0
+
diff --git a/srcpkgs/mysql8/template b/srcpkgs/mysql8/template
new file mode 100644
index 00000000000..5bc304d86e7
--- /dev/null
+++ b/srcpkgs/mysql8/template
@@ -0,0 +1,117 @@
+# Template file for 'mysql8'
+pkgname=mysql8
+version=8.0.21
+revision=1
+wrksrc="mysql-${version}"
+build_style=cmake
+build_helper=qemu
+configure_args="
+	-DINSTALL_INFODIR=share/mysql/docs
+	-DINSTALL_MANDIR=share/man
+	-DINSTALL_PLUGINDIR=lib/mysql/plugin
+	-DINSTALL_SCRIPTDIR=bin
+	-DINSTALL_INCLUDEDIR=include/mysql
+	-DINSTALL_DOCREADMEDIR=share/mysql
+	-DINSTALL_SUPPORTFILESDIR=share/mysql
+	-DINSTALL_MYSQLSHAREDIR=share/mysql
+	-DINSTALL_DOCDIR=share/mysql/docs
+	-DINSTALL_SHAREDIR=share/mysql
+	-DSYSCONFDIR=/etc/mysql
+	-DMYSQL_DATADIR=/var/lib/mysql
+	-DMYSQL_UNIX_ADDR=/run/mysqld/mysqld.sock
+	-DDEFAULT_CHARSET=utf8mb4               # default
+	-DDEFAULT_COLLATION=utf8mb4_0900_ai_ci  # default
+	-DENABLED_LOCAL_INFILE=ON
+	-DWITH_ZLIB=system
+	-DWITH_ZSTD=system
+	-DWITH_LZ4=system
+	-DWITH_LZMA=system
+	-DWITH_SSL=system
+	-DWITH_SSL=system
+	-DWITH_LIBWRAP=OFF
+	-DWITHOUT_EXAMPLE_STORAGE_ENGINE=1
+	-DWITHOUT_ARCHIVE_STORAGE_ENGINE=1
+	-DWITHOUT_BLACKHOLE_STORAGE_ENGINE=1
+	-DWITHOUT_FEDERATED_STORAGE_ENGINE=1
+	-DWITHOUT_NDB_STORAGE_ENGINE=1
+"
+hostmakedepends="perl bison ncurses-devel"
+makedepends="zlib-devel libzstd-devel liblz4-devel liblzma-devel libressl-devel
+readline-devel boost-devel libevent-devel"
+depends="mysql8-client"
+conf_files="/etc/mysql/my.cnf"
+short_desc="World's most popular open source database"
+maintainer="Rien Maertens <rien.maertens@posteo.be>"
+license="GPL-2.0-only"
+homepage="https://www.mysql.com/products/community/"
+distfiles="http://dev.mysql.com/get/Downloads/MySQL-${version%.*}/mysql-${version}.tar.gz"
+checksum=ad56535eee03943adeef5f188e1df7a39729a7557d8b2179b1affd994b990034
+replaces="mysql>=0"
+provides="mysql-${version}_${revision}"
+system_accounts="mysql"
+mysql_homedir="/var/lib/mysql"
+lib32disabled=yes
+nocross="cross compiling should be possible but I gave up"
+
+
+post_install() {
+	# Remove unneeded stuff.
+	rm -rf ${DESTDIR}/usr/{sql-bench,mysql-test,data}
+	rm -f ${DESTDIR}/usr/share/man/man1/mysql-test-run.pl.1
+
+	# Configuration file.
+	vinstall ${FILESDIR}/my.cnf 644 etc/mysql
+
+	# runit service
+	vsv mysqld
+}
+
+libmysqlclient8_package() {
+	short_desc+=" - client library"
+	provides="libmysqlclient-${version}_${revision}"
+	replaces="libmysqlclient>=0"
+	pkg_install() {
+		vmove "usr/lib/libmysqlclient*.so.*"
+	}
+}
+
+libmysqlclient8-devel_package() {
+	depends="libmysqlclient8>=${version}_${revision}"
+	provides="libmysqlclient-devel-${version}_${revision}"
+	replaces="libmysqlclient-devel>=0"
+	short_desc+=" - development files"
+	pkg_install() {
+		vmove usr/bin/mysql_config
+		vmove usr/share/man/man1/mysql_config.1
+		vmove usr/include
+		vmove "usr/lib/*.a"
+		vmove "usr/lib/*.so"
+	}
+}
+
+mysql8-client_package() {
+	depends="perl"
+	provides="mysql-client-${version}_${revision}"
+	replaces="mysql-client>=0"
+	short_desc+=" - database client binaries"
+	pkg_install() {
+		for f in innochecksum innotop myisam_ftdump mysql mysql_client_test \
+			mysql_client_test_embedded mysqldumpslow mysqlbinlog \
+			mysql_find_rows mysql_fix_extensions mysql_waitpid mysqlaccess \
+			mysqladmin mysqlanalyze mysqlbug mysqlcheck mysqldump \
+			mysqlimport mysqloptimize mysqlrepair mysqlreport mysqlshow \
+			mysqlslap mysqltest_embedded mysqlmanager mysqltest \
+			mysqlhotcopy mysql_upgrade mysql_zap; do
+			if [ -f ${DESTDIR}/usr/bin/${f} ]; then
+				vmove usr/bin/${f}
+			elif [ -f ${DESTDIR}/usr/sbin/${f} ]; then
+				vmove usr/sbin/${f}
+			fi
+			if [ -f ${DESTDIR}/usr/share/man/man1/${f}.1 ]; then
+				vmove usr/share/man/man1/${f}.1
+			elif [ -f ${DESTDIR}/usr/share/man/man8/${f}.8 ]; then
+				vmove usr/share/man/man8/${f}.8
+			fi
+		done
+	}
+}
diff --git a/srcpkgs/mysql8/update b/srcpkgs/mysql8/update
new file mode 100644
index 00000000000..da80797cf4a
--- /dev/null
+++ b/srcpkgs/mysql8/update
@@ -0,0 +1,2 @@
+site='http://dev.mysql.com/downloads/mysql/'
+pattern='MySQL Community Server \K[\d.]+'