[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Statement(s) on libssl situation desired

luk@debian.org wrote:
> Kurt Roeckx wrote:
> > I intend to drop the libssl0.9.7-dev package in the next upload,
> > which I hope to do soon.  I don't think it's a good idea to keep
> > that -dev package around.  Unless the release team ask me to keep
> > it around, I'll remove it.
> I would be very surprised if the release team would ask you to keep it
> around (due to conversations on IRC).

Oh good grief.

What are the plans for the libssl fiasco?  Consider this a formal request for 
a statement.

Note the following apparent facts:
* libssl0.9.7 and libssl0.9.8, if linked in the same binary, will cause 
unpredictable failure due to symbol conflicts.
* This could be fixed if libssl0.9.8 had versioned symbols, which it doesn't 
* I see from pkg-openssl-devel that the plans are to version the symbols in 

Is this a settled decision yet?  (If so, good!)  Is there an ETA for a 
versioned version (ahem) in unstable?  Has it been accepted by upstream.  If 
not, will it be done in Debian anyway?  Will it be done ASAP or are plans to 
wait for upstream?

If we are planning to wait until upstream accepts this, what will be done to 
deal with the problem in the meantime?

Packages built against the unversioned libssl0.9.8 will, when run on a system 
with versioned libssl0.9.8, either pick up the symbols from libssl0.9.7 
(wrong) or not find their symbols (segfault).  Accordingly, all packages 
linked against the current libssl0.9.8 are in trouble and will need rebuilds.  
However, currently there is *nothing* preventing yet more packages being 
built against it.  Are there plans to deal with this?  (Perhaps, at the 
least, a warning message to d-d-a telling people not to upload packages built 
against libssl0.9.8 at this time?)

It may also be nontrivial to identify such packages after versioned 
libssl0.9.8 goes into the archive (all packages depending on libssl0.9.8 will 
require an audit of their symbols to see whether they were built against the 
versioned version).  This may be avoided by a shlibs bump or package name 
change for the versioned libssl0.9.8.

Finally, are there any plans to alleviate testing migration issues for 
packages held up by this, and if so, how?

Nathanael Nerode  <neroden@twcny.rr.com>

A thousand reasons. http://www.thousandreasons.org/
Lies, theft, war, kidnapping, torture, rape, murder...
Get me out of this fascist nightmare!

Reply to: