Re: openssl 1.1.1 in stretch backports?

["Yuriy M. Kaminskiy" <yumkam+debian@gmail.com>]

On 12.01.2019 00:23, Benjamin Kaduk wrote:
> On Fri, Jan 11, 2019 at 01:56:35PM +0100, Harald Dunkel wrote:
> > On 1/11/19 11:46 AM, Simon McVittie wrote:
> > > OpenSSL 1.1.0 and 1.1.1 both build libssl.so.1.1; so, no, they cannot
> > > be parallel-installed. If there was a backport of openssl 1.1.1 it would
> > > replace 1.1.0.
>
> I suppose it could use a "shlib_variant" customization string to present as
> adifferent library that would need to be explicitly requested by consumers.
> Which would be fairly lousy for other software in -backports, I suppose,
> but could have some utility for some people.
>
> > >       smcv
> >
> > Is it possible to use openssl 1.1.1 as a drop-in replacement for
> > 1.1.0?
>
> Well ... mostly.  It's *supposed* to be, but there are some places where
> behavior had to change to get TLS 1.3 support, and some of those changes
> are on the boundary of "breaks functioning code" and "your code was doing
> unsupported/undocumented things".  (Unfortunately, I don't have any
> examples off the top of my head.)

Definitely known are:
$ grep Breaks openssl-1.1.1a/debian/control
Breaks: python-httplib2 (<< 0.11.3-1), isync (<< 1.3.0-2), 
python-imaplib2 (<< 2.57-5), python3-imaplib2 (<< 2.57-5), python-boto 
(<< 2.44.0-1.1), python3-boto (<< 2.44.0-1.1)

As far as I can see, stretch{,-backports} contains still-incompatible 
versions. For sure, there can be more.