Bug#828236: [Pkg-openssl-devel] Bug#844160: openssl 1.1 and apache2
On Fri, Nov 18, 2016 at 06:10:31AM +0100, Stefan Fritsch wrote:
> On Friday, 18 November 2016 01:09:53 CET Adrian Bunk wrote:
> > On Thu, Nov 17, 2016 at 11:18:57PM +0100, Stefan Fritsch wrote:
> > > On Thursday, 17 November 2016 21:39:19 CET Kurt Roeckx wrote:
> > > > > That header was created for mod_ssl_ct which provides support for
> > > > > certificate transparency. It's quite new and likely that nothing else
> > > > > uses the header. It would probably be acceptable to remove the
> > > > > dependency
> > > > > in apache2-dev on libssl-dev and add a caveat to the README.Debian. I
> > > > > could also not install the header, or put it into a separate new
> > > > > package
> > > > > that depends on libssl-dev.
> > > >
> > > > So can you confirm that the only reason for the libssl-dev
> > > > depedency is that file?
> > >
> > > Yes.
> >
> > What does create the dependency in
> > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828330#16
> > ?
>
> By including its own copy of ssl_private.h from the apache source (not
> installed in apache2-dev). Urgh.
>
> /*
> * After 2.0.49, Apache mod_ssl has most of the mod_ssl structures defined
> * in ssl_private.h, which is not installed along with httpd-devel (eg in
> * the FC2 RPM.) This include file provides SIMPLIFIED structures for use
> * by mod_gridsite: for example, pointers to unused structures are replaced
> * by void * and some of the structures are truncated when only the early
> * members are used.
> *
> * CLEARLY, THIS WILL BREAK IF THERE ARE MAJOR CHANGES TO ssl_private.h!!!
> */
Are there other packages that are doing similar things?
And unrelated to the problem in this bug:
Now that there is a proper header, it should be used in GridSite?
> That's very ugly. So, not installing mod_ssl_openssl.h or a caveat in
> README.Debian would not help.
>
> But putting it into a separate apache2-mod_ssl-dev package with the proper
> mod_ssl dependency would still work. gridsite would then need to build-dep on
> that package and (AFAICS) php does not do the same ugly tricks and would be
> unaffected by the dependency on libssl1.0-dev.
This is the build-dependency side.
But this would still allow installing GridSite and Apache compiled with
different OpenSSL versions.
Creating a dependency on apache-abi-openssl-1-0-2 for every user of the
affected symbols and providing that (similar to qtbase-abi-5-6-1) would
be the proper solution.
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
Reply to: