# HG changeset patch
# User Taylor R Campbell <riastradh@NetBSD.org>
# Date 1765742676 0
#      Sun Dec 14 20:04:36 2025 +0000
# Branch trunk
# Node ID 382ff7cdfb0de3c764580f1f3153d1df9cc04362
# Parent  7db59feec58491625e1259e117c8ae0dc7543f4a
# EXP-Topic riastradh-pr58648-privatelibsubdir
Add logic for /usr/lib/private libraries and use it for libssh.

New variables for makefiles to define:

<bsd.lib.mk> LIBSUBDIR -- If nonempty, install library into
    ${LIBDIR}/${LIBSUBDIR} instead of ${LIBDIR}.  Typically set
    either to empty or to `private'.

<bsd.lib.mk> LIBDPSUBDIRS -- List of subdirectories _subdir_ to add
    -L${SHLIBDIR}/${_subdir_} -Wl,-R${SHLIBDIR}/${_subdir_} to
    ldflags when linking library.  Note: Should only be used inside
    private libraries, not inside public libraries to link against
    private libraries, which can't work -- see comment.

<bsd.prog.mk> PROGDPSUBDIRS -- List of subdirectories _subdir_ to add
    -L${SHLIBDIR}/${_subdir_} -Wl,-R${SHLIBDIR}/${_subdir_} to
    ldflags when linking program.

Libraries that we want to install because we use them in binaries we
ship, but that we want to keep private from applications so we don't
have to worry about ABI breakage or leakage into pkgsrc builds,
should generally set:

LIBSUBDIR=	private		# Install into /usr/lib/private.
NOCOMPAT=	# defined	# Don't build compat lib.
NOLINKLIB=	# defined	# Don't install .so symlink or .a lib.

(XXX Maybe we should have a `LIBISPRIVATE= installed' or something
for doing this automatically, but for now I'm putting in the minimal
mechanism to implement this and we can condense a common pattern
later.)

Programs using the library will also have to set

PROGDPSUBDIRS+=	private

so that they will get the rpath /usr/lib/private.

(XXX This should be discoverable by PROGDPLIBS but for now we don't
have that mechanism.)

PR lib/58648: private shared libraries should go in /usr/lib/private,
not /usr/lib

diff -r 7db59feec584 -r 382ff7cdfb0d crypto/external/bsd/openssh/Makefile.inc
--- a/crypto/external/bsd/openssh/Makefile.inc	Tue Nov 25 18:49:34 2025 +0000
+++ b/crypto/external/bsd/openssh/Makefile.inc	Sun Dec 14 20:04:36 2025 +0000
@@ -52,3 +52,10 @@ LINTFLAGS+=	-X 117	# nonportable '>>' on
 LINTFLAGS+=	-X 231	# parameter unused
 LINTFLAGS+=	-X 247	# pointer cast to unrelated type
 LINTFLAGS+=	-X 351	# missing header declaration
+
+# We install libssh in /usr/lib/private so applications don't
+# accidentally link against it.  Set LIBSUBDIR so libssh.so.N and
+# libssh.so.N.M will be installed there there, and set PROGDPSUBDIRS so
+# ssh/sshd/sshd-session/&c. will find it at link-time.
+LIBSUBDIR=	private
+PROGDPSUBDIRS+=	private
diff -r 7db59feec584 -r 382ff7cdfb0d crypto/external/bsd/openssh/lib/Makefile
--- a/crypto/external/bsd/openssh/lib/Makefile	Tue Nov 25 18:49:34 2025 +0000
+++ b/crypto/external/bsd/openssh/lib/Makefile	Sun Dec 14 20:04:36 2025 +0000
@@ -1,5 +1,17 @@
 #	$NetBSD: Makefile,v 1.44 2025/10/11 15:45:10 christos Exp $
 
+# libssh is not meant for applications to link against -- it's a
+# private library of the ssh/sshd/&c. executables we ship.  So don't
+# install compat versions (we don't ship ssh/sshd/&c. as compat
+# executables, only as native ones) or expose the .so symlink or .a
+# static library for applications to link against.
+#
+# Note that while NOLINKLIB suppresses _installing_ the .so symlink,
+# the .so symlink is still created in the objdir so bin/ssh can still
+# use it to link.
+NOCOMPAT=		# defined
+NOLINKLIB=		# defined
+
 .include <bsd.own.mk>
 
 .include "../Makefile.inc"
diff -r 7db59feec584 -r 382ff7cdfb0d distrib/sets/lists/base/mi
--- a/distrib/sets/lists/base/mi	Tue Nov 25 18:49:34 2025 +0000
+++ b/distrib/sets/lists/base/mi	Sun Dec 14 20:04:36 2025 +0000
@@ -1239,6 +1239,7 @@
 ./usr/lib/openssl/modules/legacy.so		base-crypto-usr		compatfile,pic,openssl=30
 ./usr/lib/openssl/modules/legacy.so		base-crypto-usr		compatfile,pic,openssl=35
 ./usr/lib/postfix				base-postfix-usr
+./usr/lib/private				base-sys-usr		
 ./usr/lib/runemodule				base-obsolete		obsolete
 ./usr/lib/runemodule/libBIG5.a			base-obsolete		obsolete
 ./usr/lib/runemodule/libBIG5.so			base-obsolete		obsolete
@@ -1284,6 +1285,7 @@
 ./usr/libdata/debug/usr/lib/i18n		base-i18n-root		compatfile
 ./usr/libdata/debug/usr/lib/named		base-sys-usr		compatfile
 ./usr/libdata/debug/usr/lib/npf			base-obsolete		obsolete
+./usr/libdata/debug/usr/lib/private		base-sys-usr		compatfile
 ./usr/libdata/debug/usr/lib/security		base-sys-usr		compatfile
 ./usr/libdata/debug/usr/libexec			base-sys-usr
 ./usr/libdata/debug/usr/libexec/ching		base-sys-usr
diff -r 7db59feec584 -r 382ff7cdfb0d distrib/sets/lists/base/shl.mi
--- a/distrib/sets/lists/base/shl.mi	Tue Nov 25 18:49:34 2025 +0000
+++ b/distrib/sets/lists/base/shl.mi	Sun Dec 14 20:04:36 2025 +0000
@@ -895,9 +895,7 @@
 ./usr/lib/libsqlite3.so.1			base-sys-shlib		compatfile
 ./usr/lib/libsqlite3.so.1.5			base-sys-shlib		compatfile
 ./usr/lib/libss.so				base-obsolete		obsolete
-./usr/lib/libssh.so				base-secsh-shlib	compatfile
-./usr/lib/libssh.so.50				base-secsh-shlib	compatfile
-./usr/lib/libssh.so.50.0			base-secsh-shlib	compatfile
+./usr/lib/libssh.so				base-obsolete		obsolete
 ./usr/lib/libssl.so				base-crypto-shlib	compatfile
 ./usr/lib/libssl.so.12				base-crypto-shlib	compatfile,openssl=10
 ./usr/lib/libssl.so.12.0			base-crypto-shlib	compatfile,openssl=10
@@ -1003,6 +1001,8 @@
 ./usr/lib/nss_mdns.so.0				base-obsolete		obsolete
 ./usr/lib/nss_mdnsd.so.0			base-mdns-shlib		mdns
 ./usr/lib/nss_multicast_dns.so.0		base-mdns-shlib		mdns
+./usr/lib/private/libssh.so.50			base-secsh-shlib	
+./usr/lib/private/libssh.so.50.0		base-secsh-shlib	
 ./usr/lib/security/pam_afslog.so.4		base-sys-shlib		compatfile,kerberos,pam
 ./usr/lib/security/pam_chroot.so.4		base-sys-shlib		compatfile,pam
 ./usr/lib/security/pam_deny.so.4		base-sys-shlib		compatfile,pam
diff -r 7db59feec584 -r 382ff7cdfb0d distrib/sets/lists/comp/mi
--- a/distrib/sets/lists/comp/mi	Tue Nov 25 18:49:34 2025 +0000
+++ b/distrib/sets/lists/comp/mi	Sun Dec 14 20:04:36 2025 +0000
@@ -4487,8 +4487,8 @@
 ./usr/lib/libsqlite3_p.a			comp-c-proflib		compatfile,profile
 ./usr/lib/libss.a				comp-obsolete		obsolete
 ./usr/lib/libss_p.a				comp-obsolete		obsolete
-./usr/lib/libssh.a				comp-c-lib		compatfile
-./usr/lib/libssh_p.a				comp-c-proflib		compatfile,profile
+./usr/lib/libssh.a				comp-obsolete		obsolete
+./usr/lib/libssh_p.a				comp-obsolete		obsolete
 ./usr/lib/libssl.a				comp-c-lib		compatfile
 ./usr/lib/libssl_p.a				comp-c-proflib		compatfile,profile
 ./usr/lib/libssp.a				comp-obsolete		obsolete
diff -r 7db59feec584 -r 382ff7cdfb0d distrib/sets/lists/comp/shl.mi
--- a/distrib/sets/lists/comp/shl.mi	Tue Nov 25 18:49:34 2025 +0000
+++ b/distrib/sets/lists/comp/shl.mi	Sun Dec 14 20:04:36 2025 +0000
@@ -273,7 +273,7 @@
 ./usr/lib/libsl_pic.a				comp-c-piclib		compatfile,picinstall,kerberos
 ./usr/lib/libsqlite3_pic.a			comp-c-piclib		compatfile,picinstall
 ./usr/lib/libss_pic.a				comp-obsolete		obsolete
-./usr/lib/libssh_pic.a				comp-c-piclib		compatfile,picinstall
+./usr/lib/libssh_pic.a				comp-obsolete		obsolete
 ./usr/lib/libssl_pic.a				comp-c-piclib		compatfile,picinstall
 ./usr/lib/libssp_pic.a				comp-obsolete		obsolete
 ./usr/lib/libstdc++_pic.a			comp-cxx-piclib		compatfile,picinstall,cxx,gcccmds,libstdcxx
diff -r 7db59feec584 -r 382ff7cdfb0d distrib/sets/lists/debug/mi
--- a/distrib/sets/lists/debug/mi	Tue Nov 25 18:49:34 2025 +0000
+++ b/distrib/sets/lists/debug/mi	Sun Dec 14 20:04:36 2025 +0000
@@ -256,7 +256,7 @@
 ./usr/lib/libsl_g.a				comp-c-debuglib		debuglib,compatfile,kerberos
 ./usr/lib/libsqlite3_g.a			comp-c-debuglib		debuglib,compatfile
 ./usr/lib/libss_g.a				comp-obsolete		obsolete,compatfile
-./usr/lib/libssh_g.a				comp-c-debuglib		debuglib,compatfile
+./usr/lib/libssh_g.a				comp-obsolete		obsolete
 ./usr/lib/libssl_g.a				comp-c-debuglib		debuglib,compatfile
 ./usr/lib/libstdc++_g.a				comp-c-debuglib		debuglib,compatfile,cxx,gcc,libstdcxx
 ./usr/lib/libsupc++_g.a				comp-c-debuglib		debuglib,compatfile,cxx,gcc,libstdcxx
diff -r 7db59feec584 -r 382ff7cdfb0d distrib/sets/lists/debug/shl.mi
--- a/distrib/sets/lists/debug/shl.mi	Tue Nov 25 18:49:34 2025 +0000
+++ b/distrib/sets/lists/debug/shl.mi	Sun Dec 14 20:04:36 2025 +0000
@@ -305,7 +305,6 @@
 ./usr/libdata/debug/usr/lib/libskey.so.2.0.debug		comp-sys-debug	debug,compatfile,skey
 ./usr/libdata/debug/usr/lib/libsl.so.7.0.debug			comp-krb5-debug	debug,compatfile,kerberos
 ./usr/libdata/debug/usr/lib/libsqlite3.so.1.5.debug		comp-sys-debug	debug,compatfile
-./usr/libdata/debug/usr/lib/libssh.so.50.0.debug		comp-secsh-debug	debug,compatfile
 ./usr/libdata/debug/usr/lib/libssl.so.12.0.debug		comp-crypto-debug	debug,compatfile,openssl=10
 ./usr/libdata/debug/usr/lib/libssl.so.14.0.debug		comp-crypto-debug	debug,compatfile,openssl=11
 ./usr/libdata/debug/usr/lib/libssl.so.15.0.debug		comp-crypto-debug	debug,compatfile,openssl=30
@@ -340,6 +339,7 @@
 ./usr/libdata/debug/usr/lib/npf/libext_log.so.0.0.debug		comp-obsolete	debug,compatfile,npf,obsolete
 ./usr/libdata/debug/usr/lib/npf/libext_normalise.so.0.0.debug	comp-obsolete	debug,compatfile,npf,obsolete
 ./usr/libdata/debug/usr/lib/npf/libext_rndblock.so.0.0.debug	comp-obsolete	debug,compatfile,npf,obsolete
+./usr/libdata/debug/usr/lib/private/libssh.so.50.0.debug	comp-secsh-debug	debug
 ./usr/libdata/debug/usr/lib/security/pam_afslog.so.4.debug	base-sys-debug	debug,compatfile,pam
 ./usr/libdata/debug/usr/lib/security/pam_chroot.so.4.debug	base-sys-debug	debug,compatfile,pam
 ./usr/libdata/debug/usr/lib/security/pam_deny.so.4.debug	base-sys-debug	debug,compatfile,pam
diff -r 7db59feec584 -r 382ff7cdfb0d etc/mtree/NetBSD.dist.base
--- a/etc/mtree/NetBSD.dist.base	Tue Nov 25 18:49:34 2025 +0000
+++ b/etc/mtree/NetBSD.dist.base	Sun Dec 14 20:04:36 2025 +0000
@@ -360,6 +360,7 @@
 ./usr/lib/openssl/modules
 ./usr/lib/pkgconfig
 ./usr/lib/postfix
+./usr/lib/private
 ./usr/lib/security
 ./usr/libdata
 ./usr/libdata/debug
@@ -375,6 +376,7 @@
 ./usr/libdata/debug/usr/lib
 ./usr/libdata/debug/usr/lib/i18n
 ./usr/libdata/debug/usr/lib/named
+./usr/libdata/debug/usr/lib/private
 ./usr/libdata/debug/usr/lib/security
 ./usr/libdata/debug/usr/libexec
 ./usr/libdata/debug/usr/libexec/ching
diff -r 7db59feec584 -r 382ff7cdfb0d share/mk/bsd.lib.mk
--- a/share/mk/bsd.lib.mk	Tue Nov 25 18:49:34 2025 +0000
+++ b/share/mk/bsd.lib.mk	Sun Dec 14 20:04:36 2025 +0000
@@ -431,11 +431,14 @@ _LIB.so.debug:=${_LIB.so.full}.debug
 .endif
 .endif
 
-_DEST.LIB:=${DESTDIR}${LIBDIR}
-_DEST.OBJ:=${DESTDIR}${_LIBSODIR}
-_DEST.LINT:=${DESTDIR}${LINTLIBDIR}
-_DEST.DEBUG:=${DESTDIR}${DEBUGDIR}${LIBDIR}
-_DEST.ODEBUG:=${DESTDIR}${DEBUGDIR}${_LIBSODIR}
+LIBSUBDIR?=		# empty
+_LIBSLASHSUBDIR=	${"${LIBSUBDIR}" == "":?:/${LIBSUBDIR}}
+
+_DEST.LIB:=${DESTDIR}${LIBDIR}${_LIBSLASHSUBDIR}
+_DEST.OBJ:=${DESTDIR}${_LIBSODIR}${_LIBSLASHSUBDIR}
+_DEST.LINT:=${DESTDIR}${LINTLIBDIR}${_LIBSLASHSUBDIR}
+_DEST.DEBUG:=${DESTDIR}${DEBUGDIR}${LIBDIR}${_LIBSLASHSUBDIR}
+_DEST.ODEBUG:=${DESTDIR}${DEBUGDIR}${_LIBSODIR}${_LIBSLASHSUBDIR}
 
 .if ${MKPIC} == "no" || (defined(LDSTATIC) && ${LDSTATIC} != "") \
     || ${MAKELINKLIB} != "no" || ${MAKESTATICLIB} != "no"
@@ -591,6 +594,22 @@ _LIBLDOPTS+=	-Wl,-x
 _LIBLDOPTS+=	-Wl,-X
 .endif
 
+# XXX Provisional -- we should get this out of LIBDPLIBS for each
+# specific dependency so we can write the directory in one place where
+# the library is defined, and not copy and paste it everywhere the
+# library is used.
+#
+# XXX BEWARE: This should only be used by libraries that are private,
+# to link against libraries that are private.  If you are tempted to
+# use this in a library that we expose for applications to link
+# against, you need to find another way -- you can't link a library
+# against private dependencies without transitively exposing them to
+# applications.
+.for _subdir_ in ${LIBDPSUBDIRS:U}
+_LIBLDOPTS+=	-Wl,-rpath,${SHLIBDIR}/${_subdir_} \
+		-L=${SHLIBDIR}/${_subdir_}
+.endfor
+
 # gcc -shared now adds -lc automatically. For libraries other than libc and
 # libgcc* we add as a dependency the installed shared libc. For libc and
 # libgcc* we avoid adding libc as a dependency by using -nostdlib. Note that
diff -r 7db59feec584 -r 382ff7cdfb0d share/mk/bsd.prog.mk
--- a/share/mk/bsd.prog.mk	Tue Nov 25 18:49:34 2025 +0000
+++ b/share/mk/bsd.prog.mk	Sun Dec 14 20:04:36 2025 +0000
@@ -289,6 +289,15 @@ _PROGLDOPTS+=	-Wl,-rpath-link,${DESTDIR}
 		-L=${SHLIBINSTALLDIR}
 .endif
 
+# XXX Provisional -- we should get this out of PROGDPLIBS for each
+# specific dependency so we can write the directory in one place where
+# the library is defined, and not copy and paste it everywhere the
+# library is used.
+.for _subdir_ in ${PROGDPSUBDIRS:U}
+_PROGLDOPTS+=	-Wl,-rpath,${SHLIBDIR}/${_subdir_} \
+		-L=${SHLIBDIR}/${_subdir_}
+.endfor
+
 __proginstall: .USE
 	${_MKTARGET_INSTALL}
 	${INSTALL_FILE} -o ${BINOWN} -g ${BINGRP} -m ${BINMODE} \