Re: Proposed (lib)curl switch to openssl 1.1

To: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Cc: Ian Jackson <ijackson@chiark.greenend.org.uk>, curl@packages.debian.org, Alessandro Ghedini <ghedo@debian.org>, debian-release@lists.debian.org, 858398@bugs.debian.org, Kurt Roeckx <kurt@roeckx.be>
Subject: Re: Proposed (lib)curl switch to openssl 1.1
From: Adrian Bunk <bunk@debian.org>
Date: Mon, 27 Nov 2017 20:04:41 +0200
Message-id: <[🔎] 20171127180441.GT27051@localhost>
In-reply-to: <[🔎] 20171123232619.GA13351@bazinga.breakpoint.cc>
References: <23062.54246.887782.574526@chiark.greenend.org.uk> <[🔎] 20171123150909.frsyvpgokdb4qda2@localhost> <[🔎] 20171123232619.GA13351@bazinga.breakpoint.cc>

Control: block 858927 by -1

On Fri, Nov 24, 2017 at 12:26:20AM +0100, Sebastian Andrzej Siewior wrote:
> On 2017-11-23 17:09:09 [+0200], Adrian Bunk wrote:
> > On Thu, Nov 23, 2017 at 01:57:58PM +0000, Ian Jackson wrote:
> > > 2. For the reason just mentioned, it might be a good idea to put in a
> > >    Breaks against old versions of packages using
> > >    CURLOPT_SSL_CTX_FUNCTION.  However, (a) I am not sure if this is
> > >    actually necessary
> > 
> > See #846908 for an example where it is necessary.
> #844018 has some history and was the reason for curl to stay with 1.0
> 
> > >    (b) in any case I don't have a good list of all
> > >    the appropriate versions
> > 
> > Kurt did search for affected packages a year ago,
> > so the information about affected packages in
> > stretch should already be available.
> > 
> > Note that such Breaks won't work for backported packages.
> 
> I did a grep and it seems that all affected users are blocked by
> #858398 except for hhvm. All of them seem to touch
> CURLOPT_SSL_CTX_FUNCTION and ask for libssl1.0-dev.
> 
> I skipped some others (while doing the grep just now) which should not
> be an issue (like `cargo' but it depends on libssl-dev and
> libcurl4-gnutls-dev or `sx' which uses it only in its configure script
> or `cmake', r-cran-rcurl, curlpp  which do not link against libssl,…).

So if we want to keep the soname, the Breaks would be on[1]:
hhvm (<< 3.21.0+dfsg-2.1)
lastpass-cli (<< 1.0.0-1.3)
libapache2-mod-auth-cas (<< 1.1-2.2)
netsurf-fb (<< 3.6-3.2)
netsurf-gtk (<< 3.6-3.2)
libxmltooling7 (<< 1.6.2-1.1)
zurl (<< 1.9.0-1.1)

> Sebastian

cu
Adrian

[1] I'm assuming there will be no unrelated uploads,
    << -2.1 works no matter whether the OpenSSL 1.1 upload
    will be -2.1 or -3 or -1 of a new upstream version

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

Reply to:

References:
- Re: Proposed (lib)curl switch to openssl 1.1
  - From: Adrian Bunk <bunk@debian.org>
- Re: Proposed (lib)curl switch to openssl 1.1
  - From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>

Prev by Date: Re: Proposed (lib)curl switch to openssl 1.1
Next by Date: Bug#882904: MariaDB 10.0.33 to next Jessie point release
Previous by thread: Re: Proposed (lib)curl switch to openssl 1.1
Next by thread: Proposed (lib)curl switch to openssl 1.1
Index(es):
- Date
- Thread