[oi-dev] OpenSSL 1.0.0 replacing 0.9.8 in userland-gate = massive headache
alasdairrr at gmail.com
Sat Sep 3 23:54:30 UTC 2011
On 09/ 4/11 12:30 AM, Garrett D'Amore wrote:
> So, I believe that 3 might not be such a bad option, because I think technically the openssl package and APIs have historically been considered "Private" (i.e. unstable and not for use by ISVs.) This is the Solaris view of it at any rate.
I agree 3 would be "best", but unfortunately it breaks the notion of us
doing incremental development. It would probably result in the change
being held back for months, as we'd need to synchronise everybody to
re-build and deliver the non-oi-build consolidations at the same time.
JDS is stuck at the moment until Guido finds some time to work on it.
Since we've ditched distro-importer and are going IPS-only to streamline
development and escape "release engineering nightmare land", we'll need
to get JDS churning out IPS packages. Thankfully alanc mentions JDS is
finally doing that internally with a newer pkgbuild/pkgtool.
We can achieve the end goal of 3 but over time (which is effectively
option 2), so we ship the new package + a compatibility package, so we
can rebuild everything incrementally to use the new openssl over time.
This way we get the benefit of the new OpenSSL right away, and a window
of time to move over to it.
Regarding whether we ship the compat package in /stable, I think we
might have to to keep people happy. OpenSSL being a private API is fine
for ISVs in the enterprise, but because OpenSSL is used by so much
software, a lot of people will have built against the system supplied
openssl. All of that software will break when people upgrade if we don't
ship a compat package. As an example, anyone who has built their own
Apache and that uses mod_ssl.
Certainly it'd make life difficult for SFE who I'm pretty certain will
have software using openssl. If we don't ship a compat package, they
would have to maintain two different versions of everything depending on
the version of OI people are running.
Josef's idea of putting a time limit on the compat package makes sense -
we could provide it for 1 stable release and yank it after that.
More information about the oi-dev