[oi-dev] OpenSSL 1.0.0 replacing 0.9.8 in userland-gate = massive headache

Alasdair Lumsden alasdairrr at gmail.com
Sat Sep 3 23:54:30 UTC 2011

Hi Garrett,

On 09/ 4/11 12:30 AM, Garrett D'Amore wrote:
> So, I believe that 3 might not be such a bad option, because I think technically the openssl package and APIs have historically been considered "Private" (i.e. unstable and not for use by ISVs.)  This is the Solaris view of it at any rate.

I agree 3 would be "best", but unfortunately it breaks the notion of us 
doing incremental development. It would probably result in the change 
being held back for months, as we'd need to synchronise everybody to 
re-build and deliver the non-oi-build consolidations at the same time.

JDS is stuck at the moment until Guido finds some time to work on it. 
Since we've ditched distro-importer and are going IPS-only to streamline 
development and escape "release engineering nightmare land", we'll need 
to get JDS churning out IPS packages. Thankfully alanc mentions JDS is 
finally doing that internally with a newer pkgbuild/pkgtool.

We can achieve the end goal of 3 but over time (which is effectively 
option 2), so we ship the new package + a compatibility package, so we 
can rebuild everything incrementally to use the new openssl over time.

This way we get the benefit of the new OpenSSL right away, and a window 
of time to move over to it.

Regarding whether we ship the compat package in /stable, I think we 
might have to to keep people happy. OpenSSL being a private API is fine 
for ISVs in the enterprise, but because OpenSSL is used by so much 
software, a lot of people will have built against the system supplied 
openssl. All of that software will break when people upgrade if we don't 
ship a compat package. As an example, anyone who has built their own 
Apache and that uses mod_ssl.

Certainly it'd make life difficult for SFE who I'm pretty certain will 
have software using  openssl. If we don't ship a compat package, they 
would have to maintain two different versions of everything depending on 
the version of OI people are running.

Josef's idea of putting a time limit on the compat package makes sense - 
we could provide it for 1 stable release and yank it after that.



More information about the oi-dev mailing list