On 2017-01-22 07:37:00 [+0000], Niels Thykier wrote:
> Codesearch also appears to agree with this (assuming we are only looking
> at rdeps). :) Internally, snmp appears to have a few uses of it.
if net-snmp is using it internally than it should not be a problem.
> > I would suggest to drop the the libssl1.0-dev dep in libsnmp-dev and add
> > a guard cert_util.h to ensure openssl's version is less than 1.1.0 in
> > case someone tries to use this on its own.
>
> The header file is used internally by snmp, so this change implies
> upgrading snmp to ssl1.1. All in all, we need to:
>
> * Apply the patch in #828449
Haven't look at it yet but if the patch was already blessed then maybe I
don't have to :)
> * Remove "libssl1.0-dev | libssl-dev (<< 1.1)" from Depends and add a
> "libssl-dev" to Suggests in the the "-dev" package?
>
> * Add an "#if"-guard rejecting ssl1.0 in the cert_util.h file.
> (Can you provide me with an example/patch for the guard?)
I attached a debdiff I did for testing against 1.0.2. It contains the
guard and the removal of -lcrypto from part of its exported cflags.
Initially I assued -lcrypto in some of the failed packages comes from
here but after a rebuild with this change some packages still failed and
then I started to look why and ofcourse I wiped the first pile of build
logs :) I can still rebuild it again without the removal of the cflags
but I wanted to get this email so I don't stall any longer.
> > I will try to make that change tomorrow and rebuild the packages [0].
> >
> > [...]
>
> Thanks. Let me know how it goes. I am happy to do the upload if your
> test says go and you can provide me with the "#if"-guard. (apparently,
> net-snmp also needs an unrelated patch for pie - see #852023)
The full logs are at [0] (/successful). Here is a summary:
built with the change:
- 389-ds-base_1.3.5.15-1_amd64-2017-01-22T22:37:45Z
- apcupsd_3.14.14-0.3_amd64-2017-01-22T22:37:58Z
- cluster-glue_1.0.12-5_amd64-2017-01-22T22:38:16Z
- corosync_2.4.2-3_amd64-2017-01-22T22:38:38Z
- cpqarrayd_2.3.5_amd64-2017-01-22T22:39:32Z
- cyrus-imapd_2.5.10-3_amd64-2017-01-22T22:39:40Z
- freeradius_3.0.12+dfsg-4_amd64-2017-01-22T22:40:14Z
- fwbuilder_5.1.0-4_amd64-2017-01-22T22:40:33Z
- keepalived_1.3.2-1_amd64-2017-01-22T22:42:28Z
- lldpd_0.9.6-1_amd64-2017-01-22T22:42:42Z
- netmrg_0.20-7.2_amd64-2017-01-22T22:43:39Z
- openhpi_3.6.1-2.1_amd64-2017-01-22T22:44:07Z
- openipmi_2.0.22-1.1_amd64-2017-01-22T22:44:36Z
- opensips_2.2.2-3_amd64-2017-01-22T22:44:47Z
- pchar_1.5-3_amd64-2017-01-22T22:45:53Z
- quagga_1.1.0-3_amd64-2017-01-22T22:47:09Z
- snmptrapfmt_1.14+nmu1_amd64-2017-01-22T22:47:49Z
- wmnd_0.4.17-2_amd64-2017-01-22T22:48:12Z
- zabbix_3.0.7+dfsg-1_amd64-2017-01-22T22:48:17Z
failed [0] (/attempted):
- cacti-spine_0.8.8h-2_amd64-2017-01-22T22:38:06Z
Failed due missing -lssl. Maybether since #834057. The last built
packages on buildd
https://buildd.debian.org/status/fetch.php?pkg=cacti-spine&arch=arm64&ver=0.8.8h-2&stamp=1477049179&raw=0
did not dep libssl.
Built with adding libssl-dev to deps.
- collectd_5.7.0-3_amd64-2017-01-22T22:38:33Z
Fails due to missing -lssl -lcrypto. The last built packages on buildd
https://buildd.debian.org/status/fetch.php?pkg=collectd&arch=amd64&ver=5.7.0-3&stamp=1482098794&raw=0
recommend or suggeest libssl1.1 and do not depend on it. Maybe from
esmtp. Built with libssl-dev.
-
google-cloud-print-connector_0.0~git20151105.24.1902938-2_amd64-2017-01-22T22:41:28Z
I have no idea. Fails also with -j1 and libssl-dev. Looks like #839293.
- hplip_3.16.11+repack0-1_amd64-2017-01-22T22:41:30Z
It fails due to missing -lcrypto. The last built packages on buildd
https://buildd.debian.org/status/fetch.php?pkg=hplip&arch=amd64&ver=3.16.11%2Brepack0-1&stamp=1480933967&raw=0
did no depend on libssl.
- ifstat_1.1-8.1_amd64-2017-01-22T22:42:03Z
Failed due to -j16. Built fine with -j1
- kamailio_4.4.4-1_amd64-2017-01-22T22:42:24Z
Fails due to missing openssl headers.
- nut_2.7.4-4_amd64-2017-01-22T22:43:47Z
No idea, some reloc thingy.
- pacemaker_1.1.16-1_amd64-2017-01-22T22:45:05Z
Fails due to missing -lssl. The last built packages on buildd
https://buildd.debian.org/status/fetch.php?pkg=pacemaker&arch=amd64&ver=1.1.16-1&stamp=1480613770&raw=0
do not depend on libssl. -lssl likely from esmtp.
- php7.0_7.0.14-2_amd64-2017-01-22T22:46:24Z
- php7.1_7.1.0-5_amd64-2017-01-22T22:46:37Z
checking for cURL support... yes, shared
checking for cURL in default path... not found
The unclocked quest.
The logs for those with the extra deps are in [0]
(/successful_with_additial_depend).
Waiting for further instructions.
> Thanks,
> ~Niels
[0] https://breakpoint.cc/net-snmp-without-libssl-rebuild
Sebastian
diff -Nru net-snmp-5.7.3+dfsg/debian/changelog
net-snmp-5.7.3+dfsg/debian/changelog
--- net-snmp-5.7.3+dfsg/debian/changelog 2017-01-14 09:40:05.000000000
+0100
+++ net-snmp-5.7.3+dfsg/debian/changelog 2017-01-22 21:30:19.000000000
+0100
@@ -1,3 +1,11 @@
+net-snmp (5.7.3+dfsg-1.7) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * drop dep on libssl1.0-dev in the dev package
+ * add a guard to catch users of the wrong library
+
+ -- Sebastian Andrzej Siewior <sebast...@breakpoint.cc> Sun, 22 Jan 2017
21:30:19 +0100
+
net-snmp (5.7.3+dfsg-1.6) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru net-snmp-5.7.3+dfsg/debian/control net-snmp-5.7.3+dfsg/debian/control
--- net-snmp-5.7.3+dfsg/debian/control 2017-01-14 09:18:58.000000000 +0100
+++ net-snmp-5.7.3+dfsg/debian/control 2017-01-22 21:21:06.000000000 +0100
@@ -120,7 +120,7 @@
Provides: libsnmp9-dev
Conflicts: libsnmp9-dev, libsnmp15-dev, snmp (<< 5.4~dfsg)
Breaks: libsnmp-base (<< 5.7.2~dfsg-8.1~)
-Depends: libc6-dev, libsnmp30 (=${binary:Version}), libwrap0-dev,
libssl1.0-dev | libssl-dev (<< 1.1), procps,
+Depends: libc6-dev, libsnmp30 (=${binary:Version}), libwrap0-dev, procps,
libkvm-dev [kfreebsd-any], libsensors4-dev [linux-any],
${misc:Depends},
libpci-dev
Description: SNMP (Simple Network Management Protocol) development files
diff -Nru
net-snmp-5.7.3+dfsg/debian/patches/drop_lcrypto_from_NSC_LNETSNMPLIBS.patch
net-snmp-5.7.3+dfsg/debian/patches/drop_lcrypto_from_NSC_LNETSNMPLIBS.patch
--- net-snmp-5.7.3+dfsg/debian/patches/drop_lcrypto_from_NSC_LNETSNMPLIBS.patch
1970-01-01 01:00:00.000000000 +0100
+++ net-snmp-5.7.3+dfsg/debian/patches/drop_lcrypto_from_NSC_LNETSNMPLIBS.patch
2017-01-22 21:30:19.000000000 +0100
@@ -0,0 +1,22 @@
+Subject: drop lcrypto from NSC_LNETSNMPLIBS
+
+The -lcrypto in NSC_LNETSNMPLIBS shouldn't be required for most compiles. It
+will break static linking but usually don't do this.
+The main reason for this is to avoid pullin in libssl's dev package in.
+
+Signed-of-by: Sebastian Andrzej Siewior <sebastian@breakpoint.c>
+---
+ net-snmp-config.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net-snmp-config.in
++++ b/net-snmp-config.in
+@@ -49,7 +49,7 @@ datarootdir=@datarootdir@
+ NSC_LDFLAGS="@LDFLAGS@"
+
+ NSC_LIBS="@LIBS@"
+-NSC_LNETSNMPLIBS="@LNETSNMPLIBS@"
++NSC_LNETSNMPLIBS="" #"@LNETSNMPLIBS@"
+ NSC_LAGENTLIBS="@LAGENTLIBS@ @PERLLDOPTS_FOR_APPS@"
+ NSC_LMIBLIBS="@LMIBLIBS@"
+
diff -Nru
net-snmp-5.7.3+dfsg/debian/patches/ensure_correct_openssl_version.patch
net-snmp-5.7.3+dfsg/debian/patches/ensure_correct_openssl_version.patch
--- net-snmp-5.7.3+dfsg/debian/patches/ensure_correct_openssl_version.patch
1970-01-01 01:00:00.000000000 +0100
+++ net-snmp-5.7.3+dfsg/debian/patches/ensure_correct_openssl_version.patch
2017-01-22 21:29:51.000000000 +0100
@@ -0,0 +1,24 @@
+Subject: Ensure correct openssl version
+
+The dev package does not depend on openssl headers which means 1.0.2 and 1.1.0
+can be installed. If cert_util.h functionality is used by 3rd party then it
+should be ensured that it is linked and compiled against 1.0.2.
+
+Signed-off-by: Sebastian Andrzej Siewior <sebast...@breakpoint.cc>
+---
+ include/net-snmp/library/cert_util.h | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/include/net-snmp/library/cert_util.h
++++ b/include/net-snmp/library/cert_util.h
+@@ -9,6 +9,10 @@
+ #error "must include <openssl/x509.h> before cert_util.h"
+ #endif
+
++#if OPENSSL_VERSION_NUMBER >= 0x10100000
++#error This needs to be compiled against openssl 1.0.2.
++#endif
++
+ #ifdef __cplusplus
+ extern "C" {
+ #endif
diff -Nru net-snmp-5.7.3+dfsg/debian/patches/series
net-snmp-5.7.3+dfsg/debian/patches/series
--- net-snmp-5.7.3+dfsg/debian/patches/series 2016-09-02 16:26:20.000000000
+0200
+++ net-snmp-5.7.3+dfsg/debian/patches/series 2017-01-22 21:30:19.000000000
+0100
@@ -32,3 +32,5 @@
fix_engineid_reprobe.diff
0001-Remove-U64-typedef.patch
0001-CHANGES-BUG-2712-Fix-Perl-module-compilation.patch
+ensure_correct_openssl_version.patch
+drop_lcrypto_from_NSC_LNETSNMPLIBS.patch
