[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Openssl 1.0.0



Hi,

2011/3/9 Kurt Roeckx <kurt@roeckx.be>:
> On Tue, Mar 08, 2011 at 11:11:15PM +0100, Jakub Wilk wrote:
>> * Kurt Roeckx <kurt@roeckx.be>, 2011-02-13, 00:27:
>> >I would like to upload version 1.0.0(d) to unstable soon. It
>> >changes soname, but as far as I know the API is still compatible
>> >with the old one, and you should be able to rebuild everything
>> >against the new version.
>>
>> Support for SSLv2 has been disabled in openssl 1.0.0c-2. We have a
>> few dozens of packages in the archive that are not prepared for
>> this: when rebuilt, they will either FTBFS or, worse, produce shared
>> libraries with missing symbols.
>
> We really should stop using SSLv2.  It was either making the
> functions related to ssl 2 do nothing, and potentionally silently
> breaking the applications, or just removing the related function
> from the API and trying to make sure they fail on build and
> hopefully catch most of the problems like that.
>
> I think I'll also change some of the header files so that no v2
> related things are defined or declared, since the define for it
> doesn't seem to be used correctly everywhere.
>

I confirm that some packages still use SSLv2[1][2].
I suggest that we do binNMU about openssl 1.0.

[1]: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=620776
[2]: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=620777

Best regards,
  Nobuhirio
-- 
Nobuhiro Iwamatsu
   iwamatsu at {nigauri.org / debian.org}
   GPG ID: 40AD1FA6


Reply to: