Hi Bernd, Thank you for the quick reply. =)
On Thu, Mar 2, 2017 at 5:42 PM, Bernd Zeimetz <be...@bzed.de> wrote: > Hi Tiago, > >> Please consider improving Build-depends to accept either >> libssl1.0-dev or libssl-dev as that will make backporting easier. > > I'm not sure how Ubuntu handles these things, but in Debian the > autobuilders only consider the first alternative of build dependencies > to keep a build reproducible - so if you have A | B as build-dep, they > will always use A. If A is not available then the builds will then try B, C, ... . I did the a test build for Yakkety - which does not have libssl1.0-dev (A) - and it picked libssl-dev (B) instead. On Zesty (our dev version) the builders use libssl1.0-dev at that is available. > I'm backporting the package to jessie and wheezy and you can find these > sources in my git repository, too. Especially for wheezy there are some > extra changes necessary. Thanks for letting us know, should we need to backport this will probably come in hand. =) > Also a backport in the current state won't make upstream happy as the > cgauth service won't be started. For jessie I might depend on systemd, > but for older distributions an init script is necessary. > > btw, regarding the ubuntu package - its nice, that it is just taking my > packaging these days - but why do you guys still build without > xmlsecurity and xerces? This is caused by the separation we have between Main and Universe. Main is the stuff that is guaranteed to have security updates and all, Universe not much so - there are other differences, but security is what matters most in this case. open-vm-tools is in Ubuntu Main archive, but xml-security-c and xerces are in Universe. If they were only required for building it would be fine, we have been allowed since Xenial to have packages in Main with a Build-Depend on packages on Universe. The problem is that both xml-security-c and xerces are also runtime dependencies, so a package in Main can't have those [1]. To depend on those would require them to be moved to Main, which didn't happen [2]. What I did, based on suggestions, was to build and test against xmlsec1, which is in Main and accepted by open-vm-tools's configure. The build turned out fine. I haven't done some real testing on it, I'm now waiting for other folks to look into that if they have the time. Is there a reason why Debian prefers xmlsecurity and xerces instead of xmlsec1? If it were to depend on xmlsec1 then Ubuntu would be able to use the exact same package. I'm not familiar with the functionality in and security of open-vm-tools, xmlsecurity, xerces, and xmlsec1, so I really have no idea what difference that would do. Many thanks! [1] https://lists.ubuntu.com/archives/ubuntu-devel-announce/2016-April/001179.html [2] https://bugs.launchpad.net/ubuntu/+source/xml-security-c/+bug/1482777 -- Tiago Stürmer Daitx Software Engineer tiago.da...@canonical.com PGP Key: 4096R/F5B213BE (hkp://keyserver.ubuntu.com) Fingerprint = 45D0 FE5A 8109 1E91 866E 8CA4 1931 8D5E F5B2 13BE
