Re: OpenSSL 1.1.0

To: Cyril Brulebois <kibi@debian.org>
Cc: debian-devel@lists.debian.org
Subject: Re: OpenSSL 1.1.0
From: Kurt Roeckx <kurt@roeckx.be>
Date: Tue, 1 Nov 2016 23:49:52 +0100
Message-id: <[🔎] 20161101224952.3jtgffhgefn42nrq@roeckx.be>
In-reply-to: <[🔎] 20161101222615.GD13949@mraw.org>
References: <20161101221459.snocrbpqixykyzsk@roeckx.be> <[🔎] 20161101222615.GD13949@mraw.org>

On Tue, Nov 01, 2016 at 11:26:15PM +0100, Cyril Brulebois wrote:
> Hi,
> 
> Just random thoughts…
> 
> Kurt Roeckx <kurt@roeckx.be> (2016-11-01):
> > I just uploaded OpenSSL 1.1.0 to unstable. There are still many
> > packages that fail to build using OpenSSL 1.1.0. For most packages
> > it should be easy to migrate 1.1.0. The most common problems when
> > going to OpenSSL 1.1.0 are:
> > - configure trying to detect a function that's now a macro.
> > - Accessing members of structures that have now become opaque. You
> >   now need to use function to get or set them.
> > 
> > The changes required are ussually very easy and do not take a long
> > time to implement.
> > 
> > Many upstream projects have already done the work or are working
> > on it. Fedora is also doing the OpenSSL 1.1.0 migration. So both
> > places are a good place to look at to see if they have already
> > done the work.
> > 
> > There might also be packages for which the changes are more
> > involved and that can't be fixed in time for the release. If you
> > want to stay with OpenSSL 1.0.2 you need to change your Build-Depends
> > from libssl-dev to libssl1.0-dev.
> > 
> > I would like to encourage that at least the packages that are
> > making use of libssl and not just libcrypto move to OpenSSL 1.1.0
> > because it contains important new features. It adds support for
> > among other things of:
> > - Extended master secret: This fixes the triple handshake problem
> >   in TLS.
> > - Chacha20-poly1305
> > - X25519
> 
> Things that work fine for this kind of transitions (hello, new gcc
> upstream releases) include:
>  - pointers to upstream release notes;
>  - pointers to porting guides;

All the filed bugs already contain a link to the porting guide.

>  - pointers to existing patches for common fixes if the former don't
>    exist just yet (but then that would be a rather unprepared move).
> 
> (Mentioning “many upstream projects” and “Fedora” is better than nothing
> but isn't as helpful as what I've listed above.)
> 
> > If you have any problems feel free to contact us.
> 
>  - are “you” <pkg-openssl-devel@lists.alioth.debian.org>?

Yes.


Kurt

Reply to:

Follow-Ups:
- Re: OpenSSL 1.1.0
  - From: Kurt Roeckx <kurt@roeckx.be>
- Re: OpenSSL 1.1.0
  - From: Ondřej Surý <ondrej@sury.org>

References:
- Re: OpenSSL 1.1.0
  - From: Cyril Brulebois <kibi@debian.org>

Prev by Date: Re: Lots and lots of tiny node.js packages
Next by Date: Re: OpenSSL 1.1.0
Previous by thread: Re: OpenSSL 1.1.0
Next by thread: Re: OpenSSL 1.1.0
Index(es):
- Date
- Thread