[Pkg-openssl-devel] Statement(s) on libssl situation desired
Nathanael Nerode
neroden at twcny.rr.com
Fri Oct 14 17:45:12 UTC 2005
luk at debian.org wrote:
> Kurt Roeckx wrote:
<snip>
> > I intend to drop the libssl0.9.7-dev package in the next upload,
> > which I hope to do soon. I don't think it's a good idea to keep
> > that -dev package around. Unless the release team ask me to keep
> > it around, I'll remove it.
>
> I would be very surprised if the release team would ask you to keep it
> around (due to conversations on IRC).
Oh good grief.
What are the plans for the libssl fiasco? Consider this a formal request for
a statement.
Note the following apparent facts:
* libssl0.9.7 and libssl0.9.8, if linked in the same binary, will cause
unpredictable failure due to symbol conflicts.
* This could be fixed if libssl0.9.8 had versioned symbols, which it doesn't
yet.
* I see from pkg-openssl-devel that the plans are to version the symbols in
libssl0.9.8.
Is this a settled decision yet? (If so, good!) Is there an ETA for a
versioned version (ahem) in unstable? Has it been accepted by upstream. If
not, will it be done in Debian anyway? Will it be done ASAP or are plans to
wait for upstream?
If we are planning to wait until upstream accepts this, what will be done to
deal with the problem in the meantime?
Packages built against the unversioned libssl0.9.8 will, when run on a system
with versioned libssl0.9.8, either pick up the symbols from libssl0.9.7
(wrong) or not find their symbols (segfault). Accordingly, all packages
linked against the current libssl0.9.8 are in trouble and will need rebuilds.
However, currently there is *nothing* preventing yet more packages being
built against it. Are there plans to deal with this? (Perhaps, at the
least, a warning message to d-d-a telling people not to upload packages built
against libssl0.9.8 at this time?)
It may also be nontrivial to identify such packages after versioned
libssl0.9.8 goes into the archive (all packages depending on libssl0.9.8 will
require an audit of their symbols to see whether they were built against the
versioned version). This may be avoided by a shlibs bump or package name
change for the versioned libssl0.9.8.
Finally, are there any plans to alleviate testing migration issues for
packages held up by this, and if so, how?
--
Nathanael Nerode <neroden at twcny.rr.com>
A thousand reasons. http://www.thousandreasons.org/
Lies, theft, war, kidnapping, torture, rape, murder...
Get me out of this fascist nightmare!
More information about the Pkg-openssl-devel
mailing list