On Mon, Nov 14, 2016, at 08:21, Adrian Bunk wrote:
> On Mon, Nov 14, 2016 at 05:03:45AM +0100, Ondřej Surý wrote:
> > > Looking at mod_ssl_openssl.h and the comment in #828330,
> > > I'd suggest the change below to add a dependency on libssl1.0-dev
> > > to apache2-dev.
> > 
> > And that exactly happens meaning that PHP 7.0 can no longer be built
> > unless all it's build-depends (including PHP 7.0) and rdepends move to
> > libssl1.0-dev as well.
> > 
> > So a nice deadlock, right? To be honest I would rather have a slightly
> > less tested apache2 with OpenSSL 1.1.0 and iron out the bugs as we go
> > than revert all the work I have done.
> > 
> > I reviewed the patch Kurt has provided and I don't see any strong reason
> > why anything should break.
> >...
> 
> Can you guarantee that rdeps of Apache can use 1.0.2 in stretch when 
> Apache itself uses 1.1?

Why?

> That is the most important question here.

No, I think the question is:

Can we migrate (or drop) all rdeps to 1.0.2?

> This is what my "mod_ssl_openssl.h and the comment in #828330"
> was referring to.
> 
> The dual 1.0.2/1.1 setup for stretch can only work when any set of 
> packages in the archive that needs the same OpenSSL version stays
> at 1.0.2 unless *all* packages in this set are compiling and working
> fine with 1.1

The *set* you are talking probably cover whole archive, since the
Build-Depends of PHP are quite vast and here are the Build-Depends
of Build-Depends:

(This is from stretch, not from unstable)
apache2-dev libssl-dev (>= 0.9.8m)
libc-client2007e-dev libssl-dev
libcurl4-openssl-dev libssl-dev
libevent-dev libssl-dev
libkrb5-dev libssl-dev
libpq-dev libssl-dev
libsasl2-dev libssl-dev
libsnmp-dev libssl-dev (>> 0.9.8)

Greping just Depends: on -dev packages is slightly more optimistic:

apache2-dev libssl-dev (<< 1.1)
libc-client2007e-dev libssl-dev
libpq-dev libssl-dev
libsnmp-dev libssl-dev

But ultimately I am afraid that libssl dependencies are so entagled
that it will cover all archive.

> And since the OpenSSL version used is part of the libcurl3 ABI
> (see #844018 for details), using 1.1 in stretch is anyway not
> really an option for Apache/PHP in stretch.

What you are really saying is that using OpenSSL 1.1 is generally
not an option for stretch.

Cheers,
-- 
Ondřej Surý <ond...@sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
Knot Resolver (https://www.knot-resolver.cz/) – secure, privacy-aware,
fast DNS(SEC) resolver
Vše pro chleba (https://vseprochleba.cz) – Mouky ze mlýna a potřeby pro
pečení chleba všeho druhu

Reply via email to