[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#828236: Bug#844160: openssl 1.1 and apache2



On Monday, 14 November 2016 05:03:45 CET Ondřej Surý wrote:
> > Looking at mod_ssl_openssl.h and the comment in #828330,
> > I'd suggest the change below to add a dependency on libssl1.0-dev
> > to apache2-dev.
> 
> And that exactly happens meaning that PHP 7.0 can no longer be built
> unless all it's build-depends (including PHP 7.0) and rdepends move to
> libssl1.0-dev as well.
> 
> So a nice deadlock, right? To be honest I would rather have a slightly
> less tested apache2 with OpenSSL 1.1.0 and iron out the bugs as we go
> than revert all the work I have done.

I must admit that I did not think of php when doing that change, sorry. 

On the other hand, shibboleth-sp2 also build-depends on apache2-dev and there 
have been some indications that shibboleth won't be switching to openssl 1.1 
for stretch. See https://lists.debian.org/debian-release/2016/11/msg00024.html

I agree with Ondřej that this will get very entangled. There will be one big 
dependency-blob that contains most complex packages and can only be 
transitioned together. And a few leaf packages that can be transitioned 
easily. For example, subversion also build-depends on apache, and kde build-
depends on subversion. Though libsvn-dev does not depend on apache2-dev, so 
maybe this is not actually a problem.

> I reviewed the patch Kurt has provided and I don't see any strong reason
> why anything should break.

With Kurt's patch, apache2 crashes on startup with an invalid free. On the 
other hand, the patch from the upstream 2.4.x-openssl-1.1.0-compat branch 
seems to work at first glance and does not cause any regression in the test 
suite. So if we are going to have apache with openssl 1.1, it's going to be 
the upstream patch. 

But we first need to figure out what to do with  shibboleth-sp2 . 

My preference would be to make openssl 1.0 provide libssl-dev again and only 
have a few simple packages opt-in to using libssl1.1-dev.

Cheers,
Stefan


Reply to: