Proposed (lib)curl switch to openssl 1.1
jcristau at debian.org
Sat Dec 2 17:09:39 UTC 2017
On Thu, Nov 23, 2017 at 15:49:26 +0000, Ian Jackson wrote:
> (Resending to fix the mail headers, sorry. Please reply to this one,
> not the previous one.)
> Hi. You're receiving this mail because you fall into one or more of the
> following categories:
> * Are associated with the curl package (To)
> * Have been involved in discussions I found in the BTS about
> libcurl and openssl 1.1 (CC), eg in #850880 or #844018
> * Maintain a package which calls CURLOPT_SSL_CTX_FUNCTION
> (CC, "CURLOPT_SSL_CTX_FUNCTION callers")
> * Are the Release Team (To, see bullet point 3 below)
> We really need to migrate libcurl to openssl 1.1. This is #858398,
> which has not seen activity from any libcurl maintainers.
> I am listed as an Uploader for curl but I haven't done a curl upload
> and don't really understand the issues well. But, as far as I
> understand it, the right thing to do is just to change the
> I have prepared a patch to do this and intend to upload it to sid on
> Sunday unless someone explains to my why it's a bad idea. See below.
Thanks for moving this forward.
> Reasons I am aware that it *might* be a bad idea are:
> 1. libcurl exposes parts of the openssl ABI, via
> CURLOPT_SSL_CTX_FUNCTION, and this would be an implicit ABI break
> without libcurl soname change. This is not good, but it seems like
> the alternative would be to diverge our soname from everyone else's
> for the same libcurl.
> 2. For the reason just mentioned, it might be a good idea to put in a
> Breaks against old versions of packages using
> CURLOPT_SSL_CTX_FUNCTION. However, (a) I am not sure if this is
> actually necessary (b) in any case I don't have a good list of all
> the appropriate versions (c) maybe this would need coordination.
> 3. This might be an implicit a "transition" (in the Debian release
> management sense) which I would be mishandling, or starting without
> permission, or something.
Because of 1 I think we should change the package name (and SONAME) for
libcurl3. I don't think 2 is appropriate.
More information about the Pkg-shibboleth-devel