[Debian-med-packaging] Proposed (lib)curl switch to openssl 1.1

Ian Jackson ijackson at chiark.greenend.org.uk
Thu Nov 23 15:49:26 UTC 2017


(Resending to fix the mail headers, sorry.  Please reply to this one,
not the previous one.)

Hi.  You're receiving this mail because you fall into one or more of the
following categories:
 * Are associated with the curl package (To)
 * Have been involved in discussions I found in the BTS about
   libcurl and openssl 1.1 (CC), eg in #850880 or #844018
 * Maintain a package which calls CURLOPT_SSL_CTX_FUNCTION
   (CC, "CURLOPT_SSL_CTX_FUNCTION callers")
 * Are the Release Team (To, see bullet point 3 below)

We really need to migrate libcurl to openssl 1.1.  This is #858398,
which has not seen activity from any libcurl maintainers.

I am listed as an Uploader for curl but I haven't done a curl upload
and don't really understand the issues well.  But, as far as I
understand it, the right thing to do is just to change the
build-dependencies.

I have prepared a patch to do this and intend to upload it to sid on
Sunday unless someone explains to my why it's a bad idea.  See below.

Reasons I am aware that it *might* be a bad idea are:

1. libcurl exposes parts of the openssl ABI, via
   CURLOPT_SSL_CTX_FUNCTION, and this would be an implicit ABI break
   without libcurl soname change.  This is not good, but it seems like
   the alternative would be to diverge our soname from everyone else's
   for the same libcurl.

2. For the reason just mentioned, it might be a good idea to put in a
   Breaks against old versions of packages using
   CURLOPT_SSL_CTX_FUNCTION.  However, (a) I am not sure if this is
   actually necessary (b) in any case I don't have a good list of all
   the appropriate versions (c) maybe this would need coordination.

3. This might be an implicit a "transition" (in the Debian release
   management sense) which I would be mishandling, or starting without
   permission, or something.

4. Perhaps not all of libcurl's rdepends can cope with openssl 1.1.
   However, now is a good time to break them so we discover them and
   can fix them.

It seems to me that now is a good time in the Buster release cycle to
take all these risks.

If you think uploading this on Sunday would be a bad idea please let
me know ASAP.  This issue has been festering and obviously we should
fix #858398 which is RC for libcurl, but nevertheless I'm prepared to
wait a bit longer because (i) I'm not confident I know what I'm doing
(ii) I don't think these issues have necessarily been explored
properly.

If someone else has a better understanding I would be quite happy to
hand this issue over to someone else.  Failing that, any contribution
of relevant facts, opinions, suggestions, etc. would be very welcome.

Thanks,
Ian.


>From 87df3380466355ac58572f5bff93734624fc214a Mon Sep 17 00:00:00 2001
From: Ian Jackson <ijackson at chiark.greenend.org.uk>
Date: Thu, 23 Nov 2017 12:49:08 +0000
Subject: [PATCH] Change build-depends to list libssl-dev first.  Outcome in
 sid/buster is to switch to openssl 1.1.  I am not changing the soname despite
 the implied change to the libcurl ABI, because we don't want to make our
 libcurl have a nonstandard soname.

---
 debian/changelog | 9 +++++++++
 debian/control   | 4 ++--
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index d5bb5791..f2413cdd 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+curl (7.56.1-2) unstable; urgency=low
+
+  * Change build-depends to list libssl-dev first.  Outcome in sid/buster
+    is to switch to openssl 1.1.  I am not changing the soname despite the
+    implied change to the libcurl ABI, because we don't want to make our
+    libcurl have a nonstandard soname.
+
+ -- Ian Jackson <ijackson at chiark.greenend.org.uk>  Thu, 23 Nov 2017 12:48:48 +0000
+
 curl (7.56.1-1) unstable; urgency=medium
 
   * New upstream release
diff --git a/debian/control b/debian/control
index 0871ade6..20b33f42 100644
--- a/debian/control
+++ b/debian/control
@@ -18,7 +18,7 @@ Build-Depends: debhelper (>= 9.20141010~),
  libpsl-dev,
  librtmp-dev (>= 2.4+20131018.git79459a2-3~),
  libssh2-1-dev,
- libssl1.0-dev | libssl-dev (<< 1.1),
+ libssl-dev | libssl1.0-dev,
  libtool,
  openssh-server <!nocheck>,
  python:native,
@@ -130,7 +130,7 @@ Suggests: libcurl4-doc,
  libldap2-dev,
  librtmp-dev,
  libssh2-1-dev,
- libssl1.0-dev | libssl-dev (<< 1.1),
+ libssl-dev | libssl1.0-dev,
  pkg-config,
  zlib1g-dev
 Multi-Arch: same
-- 
2.11.0


-- 
Ian Jackson <ijackson at chiark.greenend.org.uk>   These opinions are my own.

If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.



More information about the Debian-med-packaging mailing list