[oi-dev] OpenSSL 1.0.0 replacing 0.9.8 in userland-gate = massive headache

Alasdair Lumsden alasdairrr at gmail.com
Sat Sep 3 20:56:12 UTC 2011

Hi All,

In Oracle's official userland-gate, they have replaced OpenSSL 0.9.8 
with 1.0.0. This has massive ramifications, because everything linked 
against OpenSSL 0.9.8 breaks as soon as library/security/openssl gets 
upgraded, including pkg, which is all kinds of fun.

There are two realistic options, and one unrealistic idealistic option:

1. Don't bother upgrading to OpenSSL 0.9.8, worry about it another day

2. Do the upgrade, but also ship an openssl 0.9.8 compatibility package 
and make the new one depend on it - this lets old software continue to 
run whilst recompiles pick up the new OpenSSL. Slowly transition to 
OpenSSL 1.0.0.

I've made such a package by pkgrecv'ing openssl 0.9.8, hacking out 
everything except the libraries and republishing it locally as 
library/security/openssl/compatibility/0.9.8 - works fine.

3. Do the upgrade. Rebuild everything against OpenSSL 1.0.0, and release 
rebuilt software with the openssl 1.0.0 upgrade, in one simultaneous 

Obviously 3 has ramifications beyond the base system, because any third 
party software that depends on OpenSSL 0.9.8 will break. This is why 
having a compatibility package is probably necessary regardless.

I've provided a list of software below that depends on OpenSSL, which 
affects these consolidations:


Thankfully those are all ones we can easily rebuild, (indeed, sfw is 
gone), with the exception of gnome (JDS) which, without a replacement 
for Distro Importer in the new continuous integration world, is quite 

My personal preference is 2, although ideally we need to convert OpenSSL 
0.9.8 to oi-build format to make the compatibility package, for 
sustaining/security patches. Hacking the package together was good for a 
proof of concept but we need to be able to rebuild it/update it.

Comments welcome!



consolidation/sfw/sfw-incorporation - sfw sfw
crypto/gnupg - oi-build sfw
database/postgres-82 - sfw sfw
database/postgres-82/contrib - sfw
database/postgres-82/developer - sfw
database/postgres-82/library - sfw
database/postgres-83 - sfw sfw
database/postgres-83/contrib - sfw
database/postgres-83/developer - sfw
database/postgres-83/library - sfw
database/postgres-84 - sfw sfw
database/postgres-84/contrib - sfw
database/postgres-84/developer - sfw
database/postgres-common - sfw
database/postgres/pg_upgrade - sfw
database/postgres/pgadmin - sfw
desktop/gftp - gnome
desktop/irc/xchat - gnome
desktop/remote-desktop/rdesktop - oi-build gnome
desktop/system-monitor/gkrellm - gnome
desktop/torrent/transmission - gnome
diagnostic/httping - oi-build sfw
diagnostic/nmap - oi-build sfw
library/gnome/gnome-vfs - gnome
library/libtorrent - oi-build sfw
library/neon - oi-build sfw
library/openldap - sfw
library/perl-5/net-ssleay - sfw
library/perl-5/postgres-dbi - sfw
library/print/cups-libs - oi-build sfw
library/python-2/m2crypto - oi-build ips ips
library/python-2/m2crypto-26 - oi-build
library/python-2/pycurl - oi-build ips ips
library/python-2/pycurl-26 - oi-build
library/python-2/pyopenssl-24 - sfw
library/python-2/pyopenssl-26 - oi-build sfw
library/raptor - gnome
library/security/pam/module/pam-pkcs11 - oi-build sfw
library/security/trousers - oi-build sfw
library/xmlrpc-c - sfw
mail/fetchmail - oi-build sfw
mail/mutt - oi-build sfw
network/chat/irssi - gnome
network/dns/bind - oi-build oi-build sfw sfw
network/nntp/slrn - oi-build sfw
network/ssh - osnet osnet
network/ssh/ssh-key - osnet
network/tor - sfw
package/svr4 - osnet
print/cups - oi-build sfw
print/filter/hplip - oi-build sfw
redistributable -
runtime/erlang - oi-build sfw
runtime/python-24 - gnome
runtime/python-25 - gnome
runtime/python-26 - gnome
runtime/ruby-18 - oi-build sfw
runtime/tcl-8/tcl-openssl - oi-build sfw
service/database/postgres-82 - sfw
service/database/postgres-83 - sfw
service/database/postgres-84 - sfw
service/network/dns/bind - oi-build sfw
service/network/load-balancer/pen - sfw
service/network/ntp - oi-build sfw
service/network/smtp/sendmail - osnet
service/network/ssh - osnet
service/network/wpa - osnet
service/security/kerberos-5 - osnet
service/security/stunnel - sfw
system/boot/wanboot - osnet
system/input-method/iiim - l10n
system/library - osnet
system/library/security/crypto/pkcs11_kms - osnet
system/management/cim/pegasus - sfw
system/management/ipmitool - oi-build sfw
system/management/rad - vpanels
system/management/visual-panels - vpanels
system/management/web/openwsman - sfw
system/management/webmin - sfw
web/browser/elinks - oi-build sfw
web/browser/links - oi-build sfw
web/browser/lynx - gnome
web/browser/w3m - gnome
web/curl - oi-build sfw
web/php-52 - sfw
web/proxy/squid - oi-build sfw
web/server/apache-13 - sfw
web/server/apache-22 - oi-build sfw
web/server/ejabberd - oi-build sfw
web/server/lighttpd-14 - oi-build sfw
web/wget - oi-build sfw

More information about the oi-dev mailing list