Re: OpenSSL 1.1.0

To: debian-devel@lists.debian.org
Subject: Re: OpenSSL 1.1.0
From: Lisandro Damián Nicanor Pérez Meyer <perezmeyer@gmail.com>
Date: Mon, 21 Nov 2016 12:46:10 -0300
Message-id: <[🔎] 3240179.QHpLYJrMGL@tonks>
In-reply-to: <[🔎] 1479735013.3271507.794517385.7B1EBBB0@webmail.messagingengine.com>
References: <[🔎] 1479126404.3441753.787032041.59FC5B5E@webmail.messagingengine.com> <[🔎] 20161121130655.GA3748@x61s.reliablesolutions.de> <[🔎] 1479735013.3271507.794517385.7B1EBBB0@webmail.messagingengine.com>

On lunes, 21 de noviembre de 2016 11:30:13 ART Henrique de Moraes Holschuh 
wrote:
> On Mon, Nov 21, 2016, at 11:06, Jan Niehusmann wrote:
> > On Mon, Nov 21, 2016 at 11:11:09AM +0100, Tino Mettler wrote:
> > > At the end I noticed that Qt will stay at 1.0 (by glancing into the
> > > changelog of the relevant upload) which means that my package also has
> > > to to stay at 1.0 and the whole excitement resulted in just a changed
> > > build-dep.
> > 
> > I'm not so sure about this any more:
> > 
> > In https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=844018 Stepan
> > Golosunov wrote that according to his understanding of dlsym(3), it
> > should be fine to link a program with OpenSSL 1.1 and Qt at the same
> > time, even though Qt links to OpenSSL 1.0.
> > 
> > Can somebody who knows OpenSSL, Qt and dlopen/dlsym well enough confirm
> > that?
> 
> The linking is fine, I believe even any eventual globals (if any) will
> be correctly handled in Debian nowadays.  What causes extremely nasty
> issues is layering violations causing openssl data structures to leak
> from something linked to one version of the library, to something else
> linked to another version of the library.
> 
>  If, at any point, internal data structures from openssl are exposed, or
>  OpenSSL contextes are passed between two libraries, or a library and an
>  application, *they must all be from the same openssl*.
> 
> This is not something the linker or dlopen/dlsym can enforce.  And you
> need to manually inspect the code to be sure... usually.
> 
> So, if Qt *ever* exposes its use of openssl anywere in its APIs, it
> might not be safe.   If it doesn't (i.e. at most you have a qt flag that
> says "use SSL", etc), then it should be fine.

Qt uses ssl in QtNetwork, so at very least I would say that if you don't use 
QtNetwork you should be fine.

But this is only theory.

-- 
Bebe a bordo (pero con moderación)

Lisandro Damián Nicanor Pérez Meyer
http://perezmeyer.com.ar/
http://perezmeyer.blogspot.com/

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

References:
- Re: OpenSSL 1.1.0
  - From: Ondřej Surý <ondrej@sury.org>
- Re: OpenSSL 1.1.0
  - From: Jan Niehusmann <jan@gondor.com>
- Re: OpenSSL 1.1.0
  - From: Henrique de Moraes Holschuh <hmh@debian.org>

Prev by Date: Re: Debian Installer Stretch Alpha 8 release
Next by Date: Re: Let's stop using CVS for debian.org website
Previous by thread: Re: OpenSSL 1.1.0
Next by thread: Re: OpenSSL 1.1.0
Index(es):
- Date
- Thread