On 31/01/2023 22:08, Vincent Bernat wrote:
On 2023-01-31 21:44, Lee Garrett wrote:
with release 2.6 haproxy has dropped the "ssl-engine" keyword by
default. Would
be nice to document that in NEWS.Debian so it gets shown by tools such as
apt-listchanges during upgrade from bullseye to bookworm.
In my case haproxy failed to start with my bullseye config since it
still had
the "ssl-engine" keyword in it.
I understand this would be useful, but it opens me to get bugs like
"NEWS.Debian says something about ssl-engine, but not about some other
change". I would need to make a summary of upstream's CHANGELOG file.
This seems a tedious task.
I wouldn't list all changes there, only those that break existing
setups. So stuff where admins need to get active.
AFAICS there are only three backwards-incompatible changes [0]:
- "ssl-engine" being dropped
- openssl 0.9.8 support being dropped (irrelevant, as the package is
built against a newer version)
- previously, clients sending an invalid "Version: rtsp/1.1" header
would still get their request served, this is now caught and a 502
served. The old behaviour can be enabled with "option
accept-invalid-http-request"
All other changes add new options, or improve on existing behaviour, so
nothing that breaks existing config during upgrade.
I'm fine with writing a NEWS.Debian for you as I think users would
benefit from it. I think the ssl-engine drop is a bigger speedbump, as
configs with that setting will silently fail on upgrade, as there
doesn't seem to be any validation of it when it gets restarted. I only
noticed a bit later as some of my services weren't reachable.
[0] https://www.mail-archive.com/haproxy@formilux.org/msg42371.html,
grep for "potentially user-visible changes"
