Backporting to stretch: OpenSSL versions mix

Etienne Dysli Metref etienne.dysli-metref at switch.ch
Fri Mar 22 12:41:28 GMT 2019 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 21/03/2019 11.27, wferi at niif.hu wrote:
> There's an XMLTooling test which occasionally fails without the
> patch:
> 
> $ i=0; while ./xmltoolingtest SignatureTest testSignatureDSA; do
> i=$(($i+1)); done; echo $i
> 
> printed 20, 6, 71, 6, 106, 279, 20, 25, 2, 27, etc.  after the 
> "Signature Length incorrect" exception before I added the padding
> in unstable.  Check if you still get this with your original
> backports binary (with the padding dropped), then replace
> libxml-security-c20 and see if you still get the errors.

My backport without the padding also failed, printing 38, 133, 106.
Since testOpenSSLDSA failed during the build I tried it too in the
same loop and it also randomly fails. Swapping libxml-security-c20 for
the one with your patch [60acda36], I can run the loop without
failure. So your patch is indeed required.

>> In 36577efb, you used `libssl1.0-dev (>= 1.0.1)` while other
>> packages (xmltooling in debian/stretch for example) have
>> `libssl1.0-dev | libssl-dev (<< 1.1.0~)`. The latter looks safer,
>> but is it really better?
> 
> I just reverted to what it was.  The latter is backporting-safe, so
> if you plan to backport the SP3 stack to jessie, it's a better
> choice.

I don't plan to backport the SP3 to jessie because xerces 3.2 isn't
available there, but I still prefer to use the backporting-safe
dependency.

Unless you disagree, I'll rebase wferi/debian/stretch-backports onto
debian/stretch-backports and run with that for the other packages.

Cheers,
  Etienne
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEELcQv7Fsn8jFmeD9mw2QssxGaOsAFAlyU1/EACgkQw2QssxGa
OsATog/+LcRF1WHhIgYkehvxCDP+zJ7EC5y9pEFCDGsdPmNOwUZOaymZ+dDAI8tN
IFnIjab5kqSCvumEb9iwyhmwpc8c8zYum4x1TAnJAnhauWbNQUEDYUFpACM7S8se
CHy2+kncaWHZ6doR7QjycCzhrUyxlCWOVOGalq9kfHv2PMnugNTJMZRzi5NPZcUG
A+pif+rsiRWDYHVr/vWdPg1yd4C74iExd68Leu+BLBh4bgnYXTtWFVAsKcRCoGve
FgzcbsWZ1/rRQ/ew60Es3kV4uv8Ly1DZ9IS8yDLeuSuEwAAtQIY+18yIHDmNgKSa
VJdeiFF+/Xiq8GnjaIP0xaSubFk865nRqHicqJHDhbbGixezN4AIgPSRqY5vaflm
vDFVRecXzhtDtRPP/vgbXeHNU1G8MpeVI1e5YzeZNbeE7v/YDKiEoKP0CPDOf3ry
JKDDJDTOAFHSIIhvEGHMOEce53idIgjXG8Q7Z5dGNjKBeORQdmg4onir+2psEjqc
2Gg0cYOfHQPOjpwu/bl9ngw8LMQXKMDUpG1ekxZff9m7mdFS2pGENsCnriXIktUi
Ewsjl5YbXytzcKAStoVuLm4+KLUy0NdDDbs0fB74YBpQXrjkWeG9D1Q6KZEz5l80
XJCxFCD4coNsbWAcz8ywSrIbLe+/d9bM8tln47VvLni8OGPPkYI=
=yb/b
-----END PGP SIGNATURE-----

More information about the Pkg-shibboleth-devel mailing list