[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#844160: Bug#828236: [Pkg-openssl-devel] Bug#844160: openssl 1.1 and apache2

On Friday, 18 November 2016 19:20:15 CET Adrian Bunk wrote:
> On Fri, Nov 18, 2016 at 06:10:31AM +0100, Stefan Fritsch wrote:
> > On Friday, 18 November 2016 01:09:53 CET Adrian Bunk wrote:
> > > What does create the dependency in
> > > 
> > >   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828330#16
> > > 
> > > ?
> > 
> > By including its own copy of ssl_private.h from the apache source (not
> > installed in apache2-dev). Urgh.
> > 

> Are there other packages that are doing similar things?

I did some grep among the modules in sid but found no other. [1]

> And unrelated to the problem in this bug:
> Now that there is a proper header, it should be used in GridSite?

In principle, yes. But it's quite possible that the APIs exposed in 
mod_ssl_openssl.h are not sufficient for gridsite. But then gridsite upstream 
should work with apache2 upstream to get the required APIs added.

> > But putting it into a separate apache2-mod_ssl-dev package with the proper
> > mod_ssl dependency would still work. gridsite would then need to build-dep
> > on that package and (AFAICS) php does not do the same ugly tricks and
> > would be unaffected by the dependency on libssl1.0-dev.
> This is the build-dependency side.
> But this would still allow installing GridSite and Apache compiled with
> different OpenSSL versions.
> Creating a dependency on apache-abi-openssl-1-0-2 for every user of the
> affected symbols and providing that (similar to qtbase-abi-5-6-1) would
> be the proper solution.

We already have a apache2-api-20120211 virtual package that apache2-bin 
provides and that all modules should depend on. We could stop providing that 
and switch to apache2-api-20120211-openssl1.1 when we upgrade apache2 to 
openssl 1.1. This would at least require a binNMU off all apache2 modules. 
Modules that don't use dh_apache2 to generate the dependency would need a 
sourceful update.

On the other hand, since there seem to be so few modules that do this, adding 
some "breaks:" may be the better solution. The grep I did would then need to 
be re-done for modules that are in jessie but not in sid.


[1] Assuming the module-packages are extracted in the current dir:
for f in $(find . -name \*.so) ; do strings $f |grep -qw -e ssl_module -e 
init_server -e pre_handshake -e proxy_post_handshake && echo $f ; done

Reply to: