Proposed (lib)curl switch to openssl 1.1

Julien Cristau jcristau at debian.org
Sat Dec 2 17:09:39 UTC 2017


On Thu, Nov 23, 2017 at 15:49:26 +0000, Ian Jackson wrote:

> (Resending to fix the mail headers, sorry.  Please reply to this one,
> not the previous one.)
> 
> Hi.  You're receiving this mail because you fall into one or more of the
> following categories:
>  * Are associated with the curl package (To)
>  * Have been involved in discussions I found in the BTS about
>    libcurl and openssl 1.1 (CC), eg in #850880 or #844018
>  * Maintain a package which calls CURLOPT_SSL_CTX_FUNCTION
>    (CC, "CURLOPT_SSL_CTX_FUNCTION callers")
>  * Are the Release Team (To, see bullet point 3 below)
> 
> We really need to migrate libcurl to openssl 1.1.  This is #858398,
> which has not seen activity from any libcurl maintainers.
> 
> I am listed as an Uploader for curl but I haven't done a curl upload
> and don't really understand the issues well.  But, as far as I
> understand it, the right thing to do is just to change the
> build-dependencies.
> 
> I have prepared a patch to do this and intend to upload it to sid on
> Sunday unless someone explains to my why it's a bad idea.  See below.
> 
Thanks for moving this forward.

> Reasons I am aware that it *might* be a bad idea are:
> 
> 1. libcurl exposes parts of the openssl ABI, via
>    CURLOPT_SSL_CTX_FUNCTION, and this would be an implicit ABI break
>    without libcurl soname change.  This is not good, but it seems like
>    the alternative would be to diverge our soname from everyone else's
>    for the same libcurl.
> 
> 2. For the reason just mentioned, it might be a good idea to put in a
>    Breaks against old versions of packages using
>    CURLOPT_SSL_CTX_FUNCTION.  However, (a) I am not sure if this is
>    actually necessary (b) in any case I don't have a good list of all
>    the appropriate versions (c) maybe this would need coordination.
> 
> 3. This might be an implicit a "transition" (in the Debian release
>    management sense) which I would be mishandling, or starting without
>    permission, or something.
> 
Because of 1 I think we should change the package name (and SONAME) for
libcurl3.  I don't think 2 is appropriate.

Cheers,
Julien



More information about the pkg-java-maintainers mailing list