Bug#844160: Bug#828236: [Pkg-openssl-devel] Bug#844160: openssl 1.1 and apache2

To: Adrian Bunk <bunk@stusta.de>
Cc: František Dvořák <valtri@civ.zcu.cz>, Kurt Roeckx <kurt@roeckx.be>, Debian Bug Tracking System <844160@bugs.debian.org>, 828236@bugs.debian.org
Subject: Bug#844160: Bug#828236: [Pkg-openssl-devel] Bug#844160: openssl 1.1 and apache2
From: Stefan Fritsch <sf@debian.org>
Date: Sat, 19 Nov 2016 10:44:17 +0100
Message-id: <[🔎] 3111042.IkGHFHPpCt@k>
Reply-to: Stefan Fritsch <sf@debian.org>, 844160@bugs.debian.org
In-reply-to: <[🔎] 20161118172015.qnlfrlvyakh6fkb2@bunk.spdns.de>
References: <E1c5tz1-000GfB-AE@fasolo.debian.org> <[🔎] 2190890.jWW0C2VrcM@k> <[🔎] 20161118172015.qnlfrlvyakh6fkb2@bunk.spdns.de>

On Friday, 18 November 2016 19:20:15 CET Adrian Bunk wrote:
> On Fri, Nov 18, 2016 at 06:10:31AM +0100, Stefan Fritsch wrote:
> > On Friday, 18 November 2016 01:09:53 CET Adrian Bunk wrote:
> > > What does create the dependency in
> > > 
> > >   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828330#16
> > > 
> > > ?
> > 
> > By including its own copy of ssl_private.h from the apache source (not
> > installed in apache2-dev). Urgh.
> > 

> Are there other packages that are doing similar things?

I did some grep among the modules in sid but found no other. [1]

> And unrelated to the problem in this bug:
> Now that there is a proper header, it should be used in GridSite?

In principle, yes. But it's quite possible that the APIs exposed in 
mod_ssl_openssl.h are not sufficient for gridsite. But then gridsite upstream 
should work with apache2 upstream to get the required APIs added.

> > But putting it into a separate apache2-mod_ssl-dev package with the proper
> > mod_ssl dependency would still work. gridsite would then need to build-dep
> > on that package and (AFAICS) php does not do the same ugly tricks and
> > would be unaffected by the dependency on libssl1.0-dev.
> 
> This is the build-dependency side.
> 
> But this would still allow installing GridSite and Apache compiled with
> different OpenSSL versions.
> 
> Creating a dependency on apache-abi-openssl-1-0-2 for every user of the
> affected symbols and providing that (similar to qtbase-abi-5-6-1) would
> be the proper solution.

We already have a apache2-api-20120211 virtual package that apache2-bin 
provides and that all modules should depend on. We could stop providing that 
and switch to apache2-api-20120211-openssl1.1 when we upgrade apache2 to 
openssl 1.1. This would at least require a binNMU off all apache2 modules. 
Modules that don't use dh_apache2 to generate the dependency would need a 
sourceful update.

On the other hand, since there seem to be so few modules that do this, adding 
some "breaks:" may be the better solution. The grep I did would then need to 
be re-done for modules that are in jessie but not in sid.

Cheers,
Stefan

[1] Assuming the module-packages are extracted in the current dir:
for f in $(find . -name \*.so) ; do strings $f |grep -qw -e ssl_module -e 
init_server -e pre_handshake -e proxy_post_handshake && echo $f ; done

Reply to:

References:
- Bug#828236: [Pkg-openssl-devel] Bug#844160: openssl 1.1 and apache2
  - From: Stefan Fritsch <sf@debian.org>
- Bug#828236: [Pkg-openssl-devel] Bug#844160: openssl 1.1 and apache2
  - From: Adrian Bunk <bunk@stusta.de>

Prev by Date: Processed: Re: Bug#844822: xymon: FTBFS: build-dependency not installable: libssl-dev (>= 1.0.2d-2~)
Next by Date: Processed: block 844812 with 828236
Previous by thread: Bug#828236: [Pkg-openssl-devel] Bug#844160: openssl 1.1 and apache2
Next by thread: Bug#828236: Bug#844160: marked as done (apache2-dev should depend on libssl1.0-dev)
Index(es):
- Date
- Thread