[Pkg-openssl-devel] Bug#864160: Release notes should document how to compile 3rd party software against OpenSSL
Adrian Bunk
bunk at debian.org
Sun Jun 4 15:41:47 UTC 2017
Package: release-notes
Severity: normal
With both OpenSSL 1.0.2 and 1.1 included in stretch,
the release notes should document which to choose for
compiling 3rd party software.
In most cases either will work, but in some circumstances
compiling against the wrong OpenSSL version will result
in a crashing application (if some library used uses the
other OpenSSL version and incompatible data is passed
from one OpenSSL version to the other).
It was decided to not force the correct OpenSSL version through
libssl1.0-dev/libssl-dev dependencies.
For packages included in stretch choosing the correct OpenSSL
version was implemented through a review by Kurt half a year
ago and RC bugs forcing affected software to use the correct
version.
For stretch users compiling 3rd party software this should be
properly documented.
One consumer of this information should be stretch-backports,
whenever a package uses libssl1.0-dev in stretch but libssl-dev
in buster the information is required whether compiling with
libssl-dev in stretch-backports is safe.
More information about the Pkg-openssl-devel
mailing list