Bug#848113: libcrypt-openssl-rsa-perl: binary incompatibility with libcrypt-openssl-pkcs10-perl (openssl versions)

Niko Tyni ntyni at debian.org
Sat Dec 17 12:22:16 UTC 2016 

Control: severity -1 important

On Sat, Dec 17, 2016 at 12:38:11PM +0100, Sebastian Andrzej Siewior wrote:
> On 2016-12-14 19:21:07 [+0100], gregor herrmann wrote:
> > Hm, a breaks with a binNUM version sounds at least inelegant.
> > 
> > How about:
> > libcrypt-openssl-pkcs10-perl: Depends: libcrypt-openssl-rsa-perl (>= 0.28-4)
> > libcrypt-openssl-rsa-perl: Breaks: libcrypt-openssl-pkcs10-perl (<< 0.16-2)
> 
> All perl's openssl deps are now built against libssl1.1 so the testsuite
> problem is gone. 

Right, thanks. I see the autopkgtest failure is gone as well.

> It should not affect Jessie -> Stretch update because it
> updates all packages and one of the perl packages will pull in libssl1.1.

That's assuming all the rebuilt packages migrate into stretch so that
none with libssl1.0.2 dependencies are left. Is anybody monitoring this?

> So you could close this.
> If you want to add Breaks: & Depends: be aware that this affects more or less
> all perl package which are built against libssl because they seem to pass the
> pointers from libssl around.

I'm not very happy with just ignoring the partial upgrade issues but
I can see it doing it all properly may not be worth the effort. OTOH
this is probably not the last openssl ABI change we will see.

One "proper" way to do this would be to introduce a perl-openssl-abi-1.1
virtual package that the others would depend on to make sure they are
compatible with each other. Not sure who should provide this; it could be
one of the existing binary packages (is there a "main" one?) or possibly
a new separate one (perl-openssl-defaults?)

(This is quite close to the perl-dbdabi-* thing we did for libdbi-perl
et al., even though it turned out to be unnecessary after all as upstream
backed out the ABI change that prompted it.)

The gain from all this would be that incompatible builds couldn't be
installed together, and normal britney dependency checks would then
ensure that testing gets updated in one go.

I'm downgrading the severity of this bug for now. Thoughts from
other team members?

For reference, here's a list of lib.*-perl packages depending on libssl1.*.
I assume "only" the libcrypt-openssl-* ones are passing libssl pointers
between them but I haven't checked.

  libcyrus-imap-perl
  liblasso-perl
  libcrypt-openssl-bignum-perl
  libcrypt-openssl-dsa-perl
  libcrypt-openssl-pkcs10-perl
  libcrypt-openssl-pkcs12-perl
  libcrypt-openssl-random-perl
  libcrypt-openssl-rsa-perl
  libcrypt-openssl-x509-perl
  libcrypt-smime-perl
  libcrypt-ssleay-perl
  libnet-ldns-perl
  libnet-ssleay-perl
  libnet-tclink-perl
  libpoe-filter-ssl-perl
  libsnmp-perl

-- 
Niko Tyni   ntyni at debian.org

More information about the pkg-perl-maintainers mailing list