Bug#844160: Bug#828236: [Pkg-openssl-devel] Bug#844160: openssl 1.1 and apache2
On Friday, 18 November 2016 19:20:15 CET Adrian Bunk wrote:
> On Fri, Nov 18, 2016 at 06:10:31AM +0100, Stefan Fritsch wrote:
> > On Friday, 18 November 2016 01:09:53 CET Adrian Bunk wrote:
> > > What does create the dependency in
> > >
> > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828330#16
> > >
> > > ?
> >
> > By including its own copy of ssl_private.h from the apache source (not
> > installed in apache2-dev). Urgh.
> >
> Are there other packages that are doing similar things?
I did some grep among the modules in sid but found no other. [1]
> And unrelated to the problem in this bug:
> Now that there is a proper header, it should be used in GridSite?
In principle, yes. But it's quite possible that the APIs exposed in
mod_ssl_openssl.h are not sufficient for gridsite. But then gridsite upstream
should work with apache2 upstream to get the required APIs added.
> > But putting it into a separate apache2-mod_ssl-dev package with the proper
> > mod_ssl dependency would still work. gridsite would then need to build-dep
> > on that package and (AFAICS) php does not do the same ugly tricks and
> > would be unaffected by the dependency on libssl1.0-dev.
>
> This is the build-dependency side.
>
> But this would still allow installing GridSite and Apache compiled with
> different OpenSSL versions.
>
> Creating a dependency on apache-abi-openssl-1-0-2 for every user of the
> affected symbols and providing that (similar to qtbase-abi-5-6-1) would
> be the proper solution.
We already have a apache2-api-20120211 virtual package that apache2-bin
provides and that all modules should depend on. We could stop providing that
and switch to apache2-api-20120211-openssl1.1 when we upgrade apache2 to
openssl 1.1. This would at least require a binNMU off all apache2 modules.
Modules that don't use dh_apache2 to generate the dependency would need a
sourceful update.
On the other hand, since there seem to be so few modules that do this, adding
some "breaks:" may be the better solution. The grep I did would then need to
be re-done for modules that are in jessie but not in sid.
Cheers,
Stefan
[1] Assuming the module-packages are extracted in the current dir:
for f in $(find . -name \*.so) ; do strings $f |grep -qw -e ssl_module -e
init_server -e pre_handshake -e proxy_post_handshake && echo $f ; done
Reply to: