On Wednesday 14 March 2012 17:18:19 Kurt Roeckx wrote: > On Wed, Mar 14, 2012 at 02:30:29PM -0400, Mike Frysinger wrote: > > On Wednesday 14 March 2012 14:25:32 Dr. Stephen Henson wrote: > > > On Wed, Mar 14, 2012, Mike Frysinger wrote: > > > > On Wednesday 14 March 2012 11:09:22 OpenSSL wrote: > > > > > OpenSSL version 1.0.1 released > > > > > =============================== > > > > > > > > > > http://www.openssl.org/source/exp/CHANGES. > > > > > > > > > > The most significant changes are: > > > > > o TLS/DTLS heartbeat support. > > > > > o SCTP support. > > > > > o RFC 5705 TLS key material exporter. > > > > > o RFC 5764 DTLS-SRTP negotiation. > > > > > o Next Protocol Negotiation. > > > > > o PSS signatures in certificates, requests and CRLs. > > > > > o Support for password based recipient info for CMS. > > > > > o Support TLS v1.2 and TLS v1.1. > > > > > o Preliminary FIPS capability for unvalidated 2.0 FIPS > > > > > module. o SRP support. > > > > > > > > i don't see mention of ABI compat changes, and it seems to not be > > > > compatible. did someone forget to update the version string in > > > > crypto/opensslv.h ? it still says "1.0.0" ... > > > > > > Can you be more specific about "seems to not be compatible". > > > > if the versions were compatible, there should be no warning when running > > apps > > > > with openssl-1.0.1 that were built against openssl-1.0.0*. but there is: > > OpenSSL version mismatch. Built against 1000005f, you have 1000100f > > As far as I know, we disabled most such checks in Debian because > they're not really useful. I can change the ABI without changing > the version, or have the same ABI with a different version. If > it's not compatible the soname should have changed. The > appliation shouldn't go and second guess that it's really > compatible or not. > > And if the soname stays the same but the ABI is not compatible, we > also have ways to deal with that.
i'm not looking for downstream workarounds here but rather the right answer. is openssl-1.0.1 expected to be ABI compatible with openssl-1.0.0 ? there was nothing in the notes that i saw, and this is a significant change in behavior from how openssl has loooooong operated. and it wouldn't be the first time that a new openssl release had bugs in it including forgetting to update the version number (which i've reported before) or can't even compile for some targets due to files missing from the release tarball. if, indeed, openssl has started down the enlightened ABI compatible path, then i can work on fixing relevant packages that do runtime version sanity checks such as openssh. but i haven't heard an answer in either direction as to the openssl behavior: "it's a bug" or "it's correct behavior". -mike
signature.asc
Description: This is a digitally signed message part.
