[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#864160: Release notes should document how to compile 3rd party software against OpenSSL

Package: release-notes
Severity: normal

With both OpenSSL 1.0.2 and 1.1 included in stretch,
the release notes should document which to choose for
compiling 3rd party software.

In most cases either will work, but in some circumstances
compiling against the wrong OpenSSL version will result
in a crashing application (if some library used uses the
other OpenSSL version and incompatible data is passed
from one OpenSSL version to the other).

It was decided to not force the correct OpenSSL version through
libssl1.0-dev/libssl-dev dependencies.

For packages included in stretch choosing the correct OpenSSL
version was implemented through a review by Kurt half a year
ago and RC bugs forcing affected software to use the correct

For stretch users compiling 3rd party software this should be
properly documented.

One consumer of this information should be stretch-backports,
whenever a package uses libssl1.0-dev in stretch but libssl-dev
in buster the information is required whether compiling with
libssl-dev in stretch-backports is safe.

Reply to: