[oi-dev] OpenSSL 1.0.0 replacing 0.9.8 in userland-gate = massive headache
Andrzej Szeszo
aszeszo at gmail.com
Sat Sep 3 23:54:07 UTC 2011
I personally don't have a preference. We may as well go with 3 as
Garrett is suggesting.
We could provide 0.9.8 compatibility libs inside 1.0.0 package during
the transition period.
Andrzej
On 04/09/2011 00:30, Garrett D'Amore wrote:
> So, I believe that 3 might not be such a bad option, because I think technically the openssl package and APIs have historically been considered "Private" (i.e. unstable and not for use by ISVs.) This is the Solaris view of it at any rate.
>
> - Garrett
>
> On Sep 3, 2011, at 1:56 PM, Alasdair Lumsden wrote:
>
>> Hi All,
>>
>> In Oracle's official userland-gate, they have replaced OpenSSL 0.9.8 with 1.0.0. This has massive ramifications, because everything linked against OpenSSL 0.9.8 breaks as soon as library/security/openssl gets upgraded, including pkg, which is all kinds of fun.
>>
>> There are two realistic options, and one unrealistic idealistic option:
>>
>> 1. Don't bother upgrading to OpenSSL 0.9.8, worry about it another day
>>
>> 2. Do the upgrade, but also ship an openssl 0.9.8 compatibility package and make the new one depend on it - this lets old software continue to run whilst recompiles pick up the new OpenSSL. Slowly transition to OpenSSL 1.0.0.
>>
>> I've made such a package by pkgrecv'ing openssl 0.9.8, hacking out everything except the libraries and republishing it locally as library/security/openssl/compatibility/0.9.8 - works fine.
>>
>> 3. Do the upgrade. Rebuild everything against OpenSSL 1.0.0, and release rebuilt software with the openssl 1.0.0 upgrade, in one simultaneous release.
>>
>> Obviously 3 has ramifications beyond the base system, because any third party software that depends on OpenSSL 0.9.8 will break. This is why having a compatibility package is probably necessary regardless.
>>
>> I've provided a list of software below that depends on OpenSSL, which affects these consolidations:
>>
>> gnome
>> ips
>> l10n
>> oi-build
>> osnet
>> sfw
>> vpanels
>>
>> Thankfully those are all ones we can easily rebuild, (indeed, sfw is gone), with the exception of gnome (JDS) which, without a replacement for Distro Importer in the new continuous integration world, is quite tricky.
>>
>> My personal preference is 2, although ideally we need to convert OpenSSL 0.9.8 to oi-build format to make the compatibility package, for sustaining/security patches. Hacking the package together was good for a proof of concept but we need to be able to rebuild it/update it.
>>
>> Comments welcome!
>>
>> Cheers,
>>
>> Alasdair
>>
>>
>> consolidation/sfw/sfw-incorporation - sfw sfw
>> crypto/gnupg - oi-build sfw
>> database/postgres-82 - sfw sfw
>> database/postgres-82/contrib - sfw
>> database/postgres-82/developer - sfw
>> database/postgres-82/library - sfw
>> database/postgres-83 - sfw sfw
>> database/postgres-83/contrib - sfw
>> database/postgres-83/developer - sfw
>> database/postgres-83/library - sfw
>> database/postgres-84 - sfw sfw
>> database/postgres-84/contrib - sfw
>> database/postgres-84/developer - sfw
>> database/postgres-common - sfw
>> database/postgres/pg_upgrade - sfw
>> database/postgres/pgadmin - sfw
>> desktop/gftp - gnome
>> desktop/irc/xchat - gnome
>> desktop/remote-desktop/rdesktop - oi-build gnome
>> desktop/system-monitor/gkrellm - gnome
>> desktop/torrent/transmission - gnome
>> diagnostic/httping - oi-build sfw
>> diagnostic/nmap - oi-build sfw
>> library/gnome/gnome-vfs - gnome
>> library/libtorrent - oi-build sfw
>> library/neon - oi-build sfw
>> library/openldap - sfw
>> library/perl-5/net-ssleay - sfw
>> library/perl-5/postgres-dbi - sfw
>> library/print/cups-libs - oi-build sfw
>> library/python-2/m2crypto - oi-build ips ips
>> library/python-2/m2crypto-26 - oi-build
>> library/python-2/pycurl - oi-build ips ips
>> library/python-2/pycurl-26 - oi-build
>> library/python-2/pyopenssl-24 - sfw
>> library/python-2/pyopenssl-26 - oi-build sfw
>> library/raptor - gnome
>> library/security/pam/module/pam-pkcs11 - oi-build sfw
>> library/security/trousers - oi-build sfw
>> library/xmlrpc-c - sfw
>> mail/fetchmail - oi-build sfw
>> mail/mutt - oi-build sfw
>> network/chat/irssi - gnome
>> network/dns/bind - oi-build oi-build sfw sfw
>> network/nntp/slrn - oi-build sfw
>> network/ssh - osnet osnet
>> network/ssh/ssh-key - osnet
>> network/tor - sfw
>> package/svr4 - osnet
>> print/cups - oi-build sfw
>> print/filter/hplip - oi-build sfw
>> redistributable -
>> runtime/erlang - oi-build sfw
>> runtime/python-24 - gnome
>> runtime/python-25 - gnome
>> runtime/python-26 - gnome
>> runtime/ruby-18 - oi-build sfw
>> runtime/tcl-8/tcl-openssl - oi-build sfw
>> service/database/postgres-82 - sfw
>> service/database/postgres-83 - sfw
>> service/database/postgres-84 - sfw
>> service/network/dns/bind - oi-build sfw
>> service/network/load-balancer/pen - sfw
>> service/network/ntp - oi-build sfw
>> service/network/smtp/sendmail - osnet
>> service/network/ssh - osnet
>> service/network/wpa - osnet
>> service/security/kerberos-5 - osnet
>> service/security/stunnel - sfw
>> system/boot/wanboot - osnet
>> system/input-method/iiim - l10n
>> system/library - osnet
>> system/library/security/crypto/pkcs11_kms - osnet
>> system/management/cim/pegasus - sfw
>> system/management/ipmitool - oi-build sfw
>> system/management/rad - vpanels
>> system/management/visual-panels - vpanels
>> system/management/web/openwsman - sfw
>> system/management/webmin - sfw
>> web/browser/elinks - oi-build sfw
>> web/browser/links - oi-build sfw
>> web/browser/lynx - gnome
>> web/browser/w3m - gnome
>> web/curl - oi-build sfw
>> web/php-52 - sfw
>> web/proxy/squid - oi-build sfw
>> web/server/apache-13 - sfw
>> web/server/apache-22 - oi-build sfw
>> web/server/ejabberd - oi-build sfw
>> web/server/lighttpd-14 - oi-build sfw
>> web/wget - oi-build sfw
>>
>> _______________________________________________
>> oi-dev mailing list
>> oi-dev at openindiana.org
>> http://openindiana.org/mailman/listinfo/oi-dev
>
> _______________________________________________
> oi-dev mailing list
> oi-dev at openindiana.org
> http://openindiana.org/mailman/listinfo/oi-dev
More information about the oi-dev
mailing list