Wietse Venema via Postfix-users wrote in
<[email protected]>:
|> ...
|>|> Jun 7 23:41:16 outwall/smtpd[19222]: warning: run-time library \
|>|> vs. compile-time header version mismatch: OpenSSL 3.3.0 may not \
|>|> be compatible with OpenSSL 3.2.0
|> ...
|>|[.] OpenSSL 3.2.0 and 3.3.0
|>|are ABI and API compatible. I would not expect to see a warning or
|>|error. See <https://www.openssl.org/policies/general/versioning-policy.h\
|>|tml>.
|
|Some irrelevant background: that document covers OpenSSL 3.0 and
|later (earlier releases use a different versioning scheme).
|
|>|From the document under Minor Release:
|>|
|>| A minor release is indicated by changing the second number of the
|>| version. A minor release can, and generally will, introduce new
|>| features. However both the API and ABI will be preserved.
|
|That same document says under "Patch release":
|
| A patch release is indicated by changing the final number of
| the version. A patch release will only contain bug and security
| fixes. Both the API and ABI will remain compatible across patch
| releases.
|
|Note that only the text for "Patch release" promises that the "Both
|the API and ABI will remain compatible".
Hm, you have read the page, and i think Jeffrey is right in noting
that, effectively, the postfix log message is technically false.
However i also think the OpenSSL page is very confusing, as you
correctly point out, since
For example, a program built with OpenSSL release 3.0.1 will be
able to run with OpenSSL 3.1.0 but might not be able to take
advantage of new features without modification.
how could a program compiled for 3.0.1 use features at all which
were introduced with a later minor version.
Btw they also say it *could* happen also here, with the same
"Exceptions to these rules require a vote by the OMC." clause they
use for API/ABI breakage for minor releases.
|Based on that, Postfix will not complain when the build-time and
|run-time versions differ only in the Patch release number.
Yes, i know what it does, since i think i now have opened the
third issue on AlpineLinux, all in all, (this time i only reopened
the last one, that much is plain), in order to reduce the lengthy
log overhead (my logs rotate after 200 kilobytes).
|> This is postfix. I must say, out of my head i have no idea
|> whether it has always been like that for minor releases for one,
|> and whether that is also true for LibreSSL, and the other SSL
|> libraries that postfix possibly works with. And AlpineLinux did
|> use LibreSSL for some time in the past.
|
|Postfix 3.6 and later prety-much require OpenSSL.
I like and use the config stuff whenever possible, and support the
generalized config file support (i even think it was me who
sparked the idea), it is a bit sad it is not overall supported..
(Despite the terrible syntax, wouldn't it be tremendous if all
servers of a box could be TLS-configured via this single file;
then again, today, each and every one is boxed, and noone wants to
reveal secrets of the others, heh, well, but i for one still like
the idea very much, and support even user application support, at
least as a generic default template picked up like that.)
That is, i have not looked how you have implemented it in postfix,
and then there is Viktor who sails on hardcore paths in this area.
Btw, for the MUA i maintain, i have two "log obsoleted"
mechanisms, one generic for marked variables, or that
#define n_OBSOLETE(X) \
do if(!su_state_has(su_STATE_REPRODUCIBLE) && !ok_blook(quiet)){\
static boole su_CONCAT(a__warned__, __LINE__);\
if(!su_CONCAT(a__warned__, __LINE__)){\
su_CONCAT(a__warned__, __LINE__) = TRU1;\
n_err("%s: %s\n", _("Obsoletion warning"), X);\
}\
}while(0)
#define n_OBSOLETE2(X,Y) \
do if(!su_state_has(su_STATE_REPRODUCIBLE) && !ok_blook(quiet)){\
static boole su_CONCAT(a__warned__, __LINE__);\
if(!su_CONCAT(a__warned__, __LINE__)){\
su_CONCAT(a__warned__, __LINE__) = TRU1;\
n_err("%s: %s: %s\n", _("Obsoletion warning"), X, Y);\
}\
}while(0)
I hate it and dream of the day all these terrible things have
vanished.
P.S.: i did not respond in another thread, this is the postfix
list and not my one, but it contained these paragraphs that i now
include nonetheless while i am here:
|Google wants your smtp_helo_name (default: $myhostname) to have an SPF
|policy.
I had my SPF record deleted for at least a month, without just any
problems; i had DKIM, then. Thereafter some German server gave
"550 [SPF]", and though i complained i reinstantiated the SPF
record (which has ~all, so i do not understand how this can be
useful, but so it is).
However, if i recall correctly he said he cannot DKIM sign, so
there is nothing at all to identify his server even on hop one.
and
P.S.: i will no longer post it here, but i had released v0.6.2 of
s-dkim-sign to fix a false s-postgray copy&paste of IP/CIDR
matching; Coverity 0.00 defect density, too. Verifier side maybe
in autumn. Thank you.
(I will post an excerpt of the above on the openssl-users list,
since the wording for "minor" is simply broken.)
Ciao and a nice Sunday i wish from Germany!
--steffen
|
|Der Kragenbaer, The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
