Control: tags -1 patch
On Fri, Nov 11, 2016 at 09:30:07PM +0100, Jan Niehusmann wrote:
> Package: libcurl3
> Version: 7.51.0-1
> Severity: serious
> Justification: Policy 8.1
>
> Dear Maintainer,
>
> the curl ABI contains structs inherited from OpenSSL, e.g. in calls
> like:
>
> curl_easy_setopt(easy, CURLOPT_SSL_CTX_FUNCTION, &sslCtxFunction_cb);
>
> Here, sslCtxFunction_cb is a function which takes an SSL_CTX * as a
> parameter.
>
> (This is from zurl, one example of a package affected by this bug.)
>
> Since 7.51.0-1, curl links against OpenSSL 1.1 instead of OpenSSL 1.0
> (implicitly caused by an update of libssl-dev, not by a change to the
> curl package). This changes the structure of SSL_CTX, which in turn
> changes the above mentioned ABI and breaks zurl (and possibly other
> packages).
>
> Such ABI changes require a SONAME change, according to policy 8.1,
> exactly to avoid breaking other packages which use the library.
>
> Therefore, please consider changing the SONAME (and the name of the
> binary package).
For 3rd party software doing anything Debian-specific here would be bad.
Debian should really follow whatever upstream and other distributions
are doing when they switch to 1.1 (hopefully a new soname from upstream).
For stretch it would also not solve the problem that there is
libcurl-using software that is using OpenSSL 1.0.2
> Alternatively, build-depend on libssl1.0-dev, to link
> against OpenSSL 1.0 and keep the old ABI.
>...
Unfortunately this is not sufficient.
libcurl4-openssl-dev also has to depend on libssl1.0-dev,
otherwise you will have the same problem the other way around.
I know it is not pretty, but the following seems to be required:
--- debian/control.old 2016-11-20 08:19:55.000000000 +0000
+++ debian/control 2016-11-20 08:20:32.000000000 +0000
@@ -16,7 +16,7 @@
libnss3-dev,
librtmp-dev (>= 2.4+20131018.git79459a2-3~),
libssh2-1-dev,
- libssl-dev,
+ libssl1.0-dev,
libtool,
openssh-server <!nocheck>,
python:native,
@@ -121,14 +121,13 @@
libcurl4-dev,
libcurl3-dev
Conflicts: libcurl4-gnutls-dev, libcurl4-nss-dev
-Depends: ${misc:Depends}, libcurl3 (= ${binary:Version})
+Depends: ${misc:Depends}, libcurl3 (= ${binary:Version}), libssl1.0-dev
Suggests: libcurl4-doc, libcurl3-dbg,
libidn11-dev,
libkrb5-dev,
libldap2-dev,
librtmp-dev,
libssh2-1-dev,
- libssl-dev,
pkg-config,
zlib1g-dev
Multi-Arch: same
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
