Bug#828236: [Pkg-openssl-devel] Bug#844160: openssl 1.1 and apache2
On Wed, Nov 16, 2016 at 11:05:13PM +0100, Stefan Fritsch wrote:
> Hi,
>
> [I have trimmed the cc list a bit]
>
> On Wednesday, 16 November 2016 20:36:49 CET Kurt Roeckx wrote:
> > On Mon, Nov 14, 2016 at 03:06:44PM -0800, Russ Allbery wrote:
> > > Stefan Fritsch <sf@debian.org> writes:
> > > > I must admit that I did not think of php when doing that change, sorry.
> > > >
> > > > On the other hand, shibboleth-sp2 also build-depends on apache2-dev and
> > > > there have been some indications that shibboleth won't be switching to
> > > > openssl 1.1 for stretch. See
> > > > https://lists.debian.org/debian-release/2016/11/msg00024.html>
> > > It turns out that Shibboleth will be okay if Apache goes to 1.1. The
> > > Shibboleth code that goes into Apache is isolated from the OpenSSL use
> > > inside Shibboleth, so we can keep building Shibboleth against 1.0 and
> > > Apache can go to 1.1 and all the pieces are happy. (The OpenSSL work is
> > > done in a separate daemon, shibd, that the Apache module talks to.)
> >
> > So I looked at apache2-dev to see why it depends on libssl-dev.
> > The only thing I can find is that mod_ssl_openssl.h provides some
> > hooks, and you actually get SSL_CTX * and SSL * in there. But
> > nothing in Debian seems to include that file.
>
> That header was created for mod_ssl_ct which provides support for certificate
> transparency. It's quite new and likely that nothing else uses the header. It
> would probably be acceptable to remove the dependency in apache2-dev on
> libssl-dev and add a caveat to the README.Debian. I could also not install the
> header, or put it into a separate new package that depends on libssl-dev.
So can you confirm that the only reason for the libssl-dev
depedency is that file?
Kurt
Reply to: