[Pkg-openssl-devel] Bug#828236: Bug#844160: marked as done (apache2-dev should depend on libssl1.0-dev)
Ondřej Surý
ondrej at sury.org
Mon Nov 14 07:46:51 UTC 2016
On Mon, Nov 14, 2016, at 08:44, Ondřej Surý wrote:
> On Mon, Nov 14, 2016, at 08:21, Adrian Bunk wrote:
> > On Mon, Nov 14, 2016 at 05:03:45AM +0100, Ondřej Surý wrote:
> > > > Looking at mod_ssl_openssl.h and the comment in #828330,
> > > > I'd suggest the change below to add a dependency on libssl1.0-dev
> > > > to apache2-dev.
> > >
> > > And that exactly happens meaning that PHP 7.0 can no longer be built
> > > unless all it's build-depends (including PHP 7.0) and rdepends move to
> > > libssl1.0-dev as well.
> > >
> > > So a nice deadlock, right? To be honest I would rather have a slightly
> > > less tested apache2 with OpenSSL 1.1.0 and iron out the bugs as we go
> > > than revert all the work I have done.
> > >
> > > I reviewed the patch Kurt has provided and I don't see any strong reason
> > > why anything should break.
> > >...
> >
> > Can you guarantee that rdeps of Apache can use 1.0.2 in stretch when
> > Apache itself uses 1.1?
>
> Why?
>
> > That is the most important question here.
>
> No, I think the question is:
>
> Can we migrate (or drop) all rdeps to 1.0.2?
I meant s/1.0.2/1.1.0/
> > This is what my "mod_ssl_openssl.h and the comment in #828330"
> > was referring to.
> >
> > The dual 1.0.2/1.1 setup for stretch can only work when any set of
> > packages in the archive that needs the same OpenSSL version stays
> > at 1.0.2 unless *all* packages in this set are compiling and working
> > fine with 1.1
>
> The *set* you are talking probably cover whole archive, since the
> Build-Depends of PHP are quite vast and here are the Build-Depends
> of Build-Depends:
>
> (This is from stretch, not from unstable)
> apache2-dev libssl-dev (>= 0.9.8m)
> libc-client2007e-dev libssl-dev
> libcurl4-openssl-dev libssl-dev
> libevent-dev libssl-dev
> libkrb5-dev libssl-dev
> libpq-dev libssl-dev
> libsasl2-dev libssl-dev
> libsnmp-dev libssl-dev (>> 0.9.8)
>
> Greping just Depends: on -dev packages is slightly more optimistic:
>
> apache2-dev libssl-dev (<< 1.1)
> libc-client2007e-dev libssl-dev
> libpq-dev libssl-dev
> libsnmp-dev libssl-dev
>
> But ultimately I am afraid that libssl dependencies are so entagled
> that it will cover all archive.
>
> > And since the OpenSSL version used is part of the libcurl3 ABI
> > (see #844018 for details), using 1.1 in stretch is anyway not
> > really an option for Apache/PHP in stretch.
>
> What you are really saying is that using OpenSSL 1.1 is generally
> not an option for stretch.
>
> Cheers,
> --
> Ondřej Surý <ondrej at sury.org>
> Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
> Knot Resolver (https://www.knot-resolver.cz/) – secure, privacy-aware,
> fast DNS(SEC) resolver
> Vše pro chleba (https://vseprochleba.cz) – Mouky ze mlýna a potřeby pro
> pečení chleba všeho druhu
More information about the Pkg-openssl-devel
mailing list