Bug#844263: libxml-security-c-dev: depending on libssl1.0-dev breaks open-vm-tools

Ferenc Wágner wferi at niif.hu
Tue Dec 6 12:28:33 UTC 2016

Sam Hartman <hartmans at debian.org> writes:

> can we (Debian) support SSL 1.1 with Shibboleth?
> That is, are the patches something you're comfortable integrating as
> Debian?

I haven't seen the latest iteration of the Santuario compatibility
patches yet.  Judging by the earlier glimpses, they are quite big and
require several memory management changes and at least one logic change.
But they are backed by tests and they are the result of a big chunk of
careful work.  If we weren't talking about security software, I'd have
no objections...  If upstream released the compatible code (not the
current patch set, which has divergent code paths at more places than
necessary) soon, even without changing to OpenSSL 1.1, that would also
help, because the compatibility defines and functions are provided by
the OpenSSL porting guide and the maintenance/support areas stayed well
separated for upstream and Debian.  I'd still welcome reviewers, though,
please don't let me do this alone.

But I still think it would be better to provide libcurl4-openssl1.0-dev
somehow.  Curl already provides several flavours (for OpenSSL, NSS and
GnuTLS), though extending this to OpenSSL 1.0 isn't readily possible
because libssl1.0-dev conflicts with libssl-dev.  Curl maintainers
(Cc-ed), do you think you could pull this off?

More information about the Pkg-shibboleth-devel mailing list