[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#828236: [Pkg-openssl-devel] Bug#844160: openssl 1.1 and apache2

On Fri, Nov 18, 2016 at 06:10:31AM +0100, Stefan Fritsch wrote:
> On Friday, 18 November 2016 01:09:53 CET Adrian Bunk wrote:
> > On Thu, Nov 17, 2016 at 11:18:57PM +0100, Stefan Fritsch wrote:
> > > On Thursday, 17 November 2016 21:39:19 CET Kurt Roeckx wrote:
> > > > > That header was created for mod_ssl_ct which provides support for
> > > > > certificate  transparency. It's quite new and likely that nothing else
> > > > > uses the header. It would probably be acceptable to remove the
> > > > > dependency
> > > > > in apache2-dev on libssl-dev and add a caveat to the README.Debian. I
> > > > > could also not install the header, or put it into a separate new
> > > > > package
> > > > > that depends on libssl-dev.
> > > > 
> > > > So can you confirm that the only reason for the libssl-dev
> > > > depedency is that file?
> > > 
> > > Yes.
> > 
> > What does create the dependency in
> >   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828330#16
> > ?
> 
> By including its own copy of ssl_private.h from the apache source (not 
> installed in apache2-dev). Urgh.
> 
> /*
>  * After 2.0.49, Apache mod_ssl has most of the mod_ssl structures defined
>  * in ssl_private.h, which is not installed along with httpd-devel (eg in
>  * the FC2 RPM.) This include file provides SIMPLIFIED structures for use
>  * by mod_gridsite: for example, pointers to unused structures are replaced
>  * by  void *  and some of the structures are truncated when only the early
>  * members are used.
>  *
>  * CLEARLY, THIS WILL BREAK IF THERE ARE MAJOR CHANGES TO ssl_private.h!!!
>  */

Are there other packages that are doing similar things?

And unrelated to the problem in this bug:
Now that there is a proper header, it should be used in GridSite?

> That's very ugly. So, not installing mod_ssl_openssl.h or a caveat in 
> README.Debian would not help.
> 
> But putting it into a separate apache2-mod_ssl-dev package with the proper 
> mod_ssl dependency would still work. gridsite would then need to build-dep on 
> that package and (AFAICS) php does not do the same ugly tricks and would be 
> unaffected by the dependency on libssl1.0-dev.

This is the build-dependency side.

But this would still allow installing GridSite and Apache compiled with 
different OpenSSL versions.

Creating a dependency on apache-abi-openssl-1-0-2 for every user of the 
affected symbols and providing that (similar to qtbase-abi-5-6-1) would
be the proper solution.

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed
Reply to: