Re: OpenSSL 1.1.0

To: debian-devel@lists.debian.org
Cc: 828522@bugs.debian.org, 828523@bugs.debian.org
Subject: Re: OpenSSL 1.1.0
From: Lisandro Damián Nicanor Pérez Meyer <perezmeyer@gmail.com>
Date: Mon, 27 Jun 2016 10:04:24 -0300
Message-id: <[🔎] 2255842.LXJHOZo0QM@luna>
Reply-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 20160611123036.GA8321@roeckx.be>
References: <[🔎] 20160611123036.GA8321@roeckx.be>

On sábado, 11 de junio de 2016 2:30:37 P. M. ART Kurt Roeckx wrote:
> Hi,
> 
> The release of OpenSSL 1.1.0 is getting nearer.  Some packages
> will no longer build with the new version without changes.  Most
> of those changes should be trivial, like you can't allocate some
> structures on the stack anymore and need to use the correct _new()
> and _free() function.
[snip] 

>    qt4-x11 (U)
>    qtbase-opensource-src (U)

I'm afraid this are not good news from the Qt side.

= Qt 4

Qt 4 is dead upstream, so we have two choices:

- Someone to come up with a patch.
- Remove libSSL usage, causing a nightmare for many Qt4-based apps that are 
still in the archive.

I have learned the Qt does a heavy usage of libSSL, so porting might not be 
trivial. For whatever of the two possible choices above I would not mind going 
ahead with them for Buster, but for Stretch I think it's too late. Even if we 
had a patch I would really want some time to let users check everything works 
as expected, and we are currently have less than 6 months already :-/

= Qt 5

The Qt 5 situation is similar, except releasing Qt5 without ssl support is, 
I'm afraid, a non-go. The Qt upstream in charge of the ssl code said he 
*might* probably have libssl 1.1.0 support ready for 5.8 [note] which will 
happen too [late] for releasing Stretch. Having a non-official patch might be 
doable, but we still need someone to code it and time to test it. Again, with 
the current Stretch time frame, I don't think that's doable.

[note] It's worth to note that he is not working on simply adapting the new 
code but a complete rewrite of the SSL usage in Qt, so even if we had a patch 
I don't think we could have him reviewing it in the short time.

[late] End of year as early.

Thanks to Sune Vuorela for asking upstream about this :)

-- 
Evite los parámetros estáticos. Si son inevitables, haga que el emisor
y el receptor negocien un valor.
  Andrew S. Tanenbaum, de su libro "Computer Networks"

Lisandro Damián Nicanor Pérez Meyer
http://perezmeyer.com.ar/
http://perezmeyer.blogspot.com/

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

Follow-Ups:
- Bug#828522: Info received (OpenSSL 1.1.0)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Bug#828523: Info received (OpenSSL 1.1.0)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Re: OpenSSL 1.1.0
  - From: Gert Wollny <gw.fossdev@gmail.com>

References:
- OpenSSL 1.1.0
  - From: Kurt Roeckx <kurt@roeckx.be>

Prev by Date: Bug#828741: ITP: python-datrie -- Super-fast, efficiently stored Trie for Python
Next by Date: Bug#828522: Info received (OpenSSL 1.1.0)
Previous by thread: Re: OpenSSL 1.1.0
Next by thread: Bug#828522: Info received (OpenSSL 1.1.0)
Index(es):
- Date
- Thread