Bug#828236: Bug#844160: openssl 1.1 and apache2
On Monday, 14 November 2016 05:03:45 CET Ondřej Surý wrote:
> > Looking at mod_ssl_openssl.h and the comment in #828330,
> > I'd suggest the change below to add a dependency on libssl1.0-dev
> > to apache2-dev.
> And that exactly happens meaning that PHP 7.0 can no longer be built
> unless all it's build-depends (including PHP 7.0) and rdepends move to
> libssl1.0-dev as well.
> So a nice deadlock, right? To be honest I would rather have a slightly
> less tested apache2 with OpenSSL 1.1.0 and iron out the bugs as we go
> than revert all the work I have done.
I must admit that I did not think of php when doing that change, sorry.
On the other hand, shibboleth-sp2 also build-depends on apache2-dev and there
have been some indications that shibboleth won't be switching to openssl 1.1
for stretch. See https://lists.debian.org/debian-release/2016/11/msg00024.html
I agree with Ondřej that this will get very entangled. There will be one big
dependency-blob that contains most complex packages and can only be
transitioned together. And a few leaf packages that can be transitioned
easily. For example, subversion also build-depends on apache, and kde build-
depends on subversion. Though libsvn-dev does not depend on apache2-dev, so
maybe this is not actually a problem.
> I reviewed the patch Kurt has provided and I don't see any strong reason
> why anything should break.
With Kurt's patch, apache2 crashes on startup with an invalid free. On the
other hand, the patch from the upstream 2.4.x-openssl-1.1.0-compat branch
seems to work at first glance and does not cause any regression in the test
suite. So if we are going to have apache with openssl 1.1, it's going to be
the upstream patch.
But we first need to figure out what to do with shibboleth-sp2 .
My preference would be to make openssl 1.0 provide libssl-dev again and only
have a few simple packages opt-in to using libssl1.1-dev.