[oi-dev] [HEADS UP] OpenSSL was updated to 1.0.2d

Wed Nov 4 14:32:39 UTC 2015

On Wed, Nov 4, 2015 at 6:57 AM, Nikola M <minikola at gmail.com> wrote:

> On 11/ 3/15 05:47 PM, Alexander Pyhalov wrote:
>
>> The following concerns all OI Hipster users.
>>
>> OpenSSL was updated to 1.0.2d. It is mostly ABI-compatible to 1.0.1, but
>> there is one issue. libssh has checks that utils are using the SSL version,
>> against which they were compiled. So, you have to recompile illumos-gate
>> after this update, if you use self-compiled illumos-gate. If you don't, be
>> sure to do full pkg update, so that you have the latest osnet bits
>> installed.
>>
>> Note, that updating openssl without updating illumos-gate-provided
>> packages will also cause default gnome login to fail, as ssh-agent is used
>> during session startup.
>>
>
> One of the better sides of (Open) Solaris was ABI compatibility.
>

Indeed. I routinely use binaries from the 1980s on sparc.

> I had issue once updating OpenSUSE, where some repositories were locked
> for updates afte rupdate I was left with the system that I could not log
> into, because SSH could not run on newer Linux kernel and it needed to
> recompile to run.
> I was thinking something like this would never happen to an illumos distro
> and Openindiana.
>
> I understand that if one just ro regular pkg update -v , will see nothing
> wrong,
> yet I needed to send some reflections and listen to possible feedback on
> the matter of ABI compatibility
> (and having at least some releses to target compatibility on to).
>

So, to start with, the binary compatibility guarantees aren't relevant, as
openssl
isn't covered. (In general, 3rd-party software of any sort isn't covered -
simply
because so much of it simply doesn't care about compatibility, although
current
openssl and the core gnome stack is actually pretty good.)

What this normally means is that you can reasonably expect software from
Solaris 9
and earlier to continue to work on later releases (Solaris 10, 11,
opensolaris and
derivatives). However, you'll have more difficulty with software for
Solaris 10 and
getting that to work on later releases - and openssl is the biggest
offender, because
it did break between Solaris 10 (0.9.7) and opensolaris (0.9.8) and current
(1.x).

And then there's the point that openssl is actually forward compatible, so
this
openssl upgrade *does* preserve compatibility. In fact, 1.0.2c had an ABI
incompatibility and was replaced *very* quickly.

The problem here is that SunSSH explicitly (and incorrectly) checks for the
openssl
version. That has nothing to do with compatibility. Fortunately, I've yet
to come
across anything else that breaks.

-- 
-Peter Tribble
http://www.petertribble.co.uk/ - http://ptribble.blogspot.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://openindiana.org/pipermail/oi-dev/attachments/20151104/86b50e53/attachment-0005.html>