[Pkg-openssl-devel] Bug#846113: polygraph loses SSL support when compiled with OpenSSL 1.1

Adrian Bunk bunk at stusta.de
Wed Nov 30 22:46:31 UTC 2016 

On Wed, Nov 30, 2016 at 09:43:48PM +0100, Sebastian Andrzej Siewior wrote:
> On 2016-11-30 01:16:09 [+0200], Adrian Bunk wrote:
> > > I though we agreed not to tag this as a patch
> > 
> > Where did I agree to that?
> 
> The last time I pointed it out and you replied that the problem is that
> "two things are tracked in one bug but it can't be cloned".

I definitely did not agree to no longer tagging the RC bugs.

Tagging makes it visible that there is a workaround for the RC issue.

> > > but as a hint what can be
> > > done if the maintainer chooses to stay with 1.0.
> > 
> > Reality in Debian is that a large amount of packages is not well 
> > maintained, polygraph is actually orphaned.
> 
> It received uploads since I orphaned it so I wouldn't say that it is not
> well maintained. However the last upload lost SSL on its way to the
> archive so it is 50-50 :)
> 
> > > Do you expect this bug
> > > to be closed once it switches to libsl1.0-dev?
> > 
> > The thing I do care about is not the patch tag, the thing I do care 
> > about is that we are not losing any packages in stretch due to the
> > whole OpenSSL situation.
> 
> Yes? So you switch to 1.0.2 for a package that is not well maintained
> and we get back here in Buster but we don't lose a package in Stretch?

The problem here is the schedule.

We are now 3 months after the release of 1.1.0, and the same point for 
buster will be 2 years after the release of 1.1.0

For buster 1.1.0 support will for many packages just be present 
automatically from upstream.

> It has low popcon and if it wouldn't be you, then we probably would have
> polygraph without SSL. And looking at my tracker there are more packages
> that depend on libssl-dev and don't link against it.

I did check every single binary package that did depend on libssl1.0.2 
in unstable before libssl-dev was changed to 1.1.0, and that does not
depend on libssl1.0.2 or libssl1.1 now (and I'll run this regularly
in the future until the whole OpenSSL situation is sorted out).

polygraph was the only one I found so far (in addition to the ones Hilko 
already reported) where the dependency was silently and unintentionally 
dropped.

> > A patch tag makes it visible that there is a solution for the RC issue 
> > in stretch.
> 
> I attached a patch which builds against 1.1.0. Lets see if somebody is
> able to test it.

Many of the build-fixes for 1.1.0 you previously provided were AFAIK 
only build-tested and won't get any runtime testing until binNMUs
will happen.

Please make a QA upload with your patch soon, having it in unstable is 
the only realistic chance of getting bug reports in case polygraph does
for some reason not work properly with 1.1.0

> > Who is going to do the uploads for the ~ 100 not well maintained 
> > packages that need to be switched to 1.0.2?
> > 
> > Will you do these?
> If the release team says we have to finish the asap then I will step up
> and try my best.
> 
> > It should be your job for making dual 1.0.2/1.1 work.
> > 
> > Or will you at least sponsor me, if I send you a batch of 100 NMUs and 
> > QA uploads switching packages to 1.0.2?
> 
> If the 100 NMUs are tested and not just switched the build-depends then
> maybe. But as you see here, you don't need special powers to get things
> compiled with 1.1.0.

I have no experience in OpenSSL programming, and I have no desire to 
learn about it any time soon.

> I actually spent more time writing this email than
> the patch. And I would like to avoid switching B-D now and looking at it
> again after the release.

This is the actual root of the conflict between you and me.

There are ~ 100 packages in unstable that need a fix/workaround for
the OpenSSL RC bug, and this must be uploaded during the next 3 weeks
or the package will not be in stretch.

I am really not happy about the prospect that I might end up sending
100 separate "RFS: [NMU, RC]" in a few days for getting this done.

I know that you are mostly interested in 1.1.0, but with 1.1.0 as 
default the part of the archive that is not ready for 1.1.0 must
be manually switched to use 1.0.2

> Sebastian

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

More information about the Pkg-openssl-devel mailing list