[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Packages that need to be rebuilt agaisnt libssl0.9.8

On Thu, Oct 06, 2005 at 10:20:12PM +0200, Christoph Martin wrote:

> > You are right - as so often.

> > People are still required to speak with the release team first. But some
> > people prefer to make all of our life harder then necessary.

> > Please again: If someone wants to make any transition, please speak
> > *first* with the release team. Do not just assume you can upload just
> > anything. We really want to finish the c++-abi-transition first.

> Sorry for that. I missed the message about not doing library
> transitions. My fault. But I also do not really understand why so many
> packages need to be rebuild since libssl0.9.7 will be in the archive
> too.

How?  I don't see any openssl097 source package in the archive, only openssl
and openssl096.  If it is your intention to upload an openssl097 source
package, please do so ASAP (preferably *before* libssl0.9.7 is removed from
unstable via rene!), and please tell maintainers that they should *not* be
transitioning to libssl0.9.8 at this time.  There are probably many packages
that can safely be migrated to libssl0.9.8, but there are a large number of
other packages, which no one has made a list of, which will have a cascade
effect on segfaults related to other transitions if they are rebuilt now
against a libssl0.9.8 that doesn't have versioned symbols.

> I however understand the problem with different libraries linked against
> different versions of openssl. But I don't think that versioning the
> symbols in Debian alone would be such a good idea. Than we would be
> incompatible with other distributions.

We would be only unidirectionally incompatible with other distros, in the
same way that we would be incompatible distros that shipped an older version
of libssl0.9.8 which was missing a newly-added symbol but was otherwise

> All LSB connected distros should do it the same way.

Yes, they certainly should.  Maintainers that implement versioned symbols
for libraries are always encouraged to submit patches upstream.

> Release team: If you think it would be the right thing to remove openssl
> 0.9.8 from sid, feel free to do it. I did the update, because a lot of
> people bugged me about the new version and upstream only recommends this
> version. It also closes a grave security bug.

I don't think it makes much sense to remove the package from sid once it's
been uploaded, but please see above for my concerns on how we handle this
going forward.

Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/

Attachment: signature.asc
Description: Digital signature

Reply to: