11.11.2016 в 21:30:07 +0100 Jan Niehusmann написал: > the curl ABI contains structs inherited from OpenSSL, e.g. in calls > like: > > curl_easy_setopt(easy, CURLOPT_SSL_CTX_FUNCTION, &sslCtxFunction_cb); > > Here, sslCtxFunction_cb is a function which takes an SSL_CTX * as a > parameter. > > (This is from zurl, one example of a package affected by this bug.) > > Since 7.51.0-1, curl links against OpenSSL 1.1 instead of OpenSSL 1.0 > (implicitly caused by an update of libssl-dev, not by a change to the > curl package). This changes the structure of SSL_CTX, which in turn > changes the above mentioned ABI and breaks zurl (and possibly other > packages).
And libcurl3 in testing links with libssl1.0.2 while libcurl3 in jessie links with libssl1.0.0. And while structure of SSL_CTX is probably identical in this case, global state of libssl is different, as well as code and supported features are different. Also, when libcurl is linked with OpenSSL older then 1.1 many applications need to be linked with the same OpenSSL libraries as curl as they need to initialize libssl as described in https://lists.debian.org/debian-devel/2016/11/msg00718.html With OpenSSL 1.1 this requirement goes away, as newer OpenSSL initializes itself automatically (and if application initializes old version of OpenSSL no harm is done). > Such ABI changes require a SONAME change, according to policy 8.1, > exactly to avoid breaking other packages which use the library. > > Therefore, please consider changing the SONAME (and the name of the > binary package). Alternatively, build-depend on libssl1.0-dev, to link > against OpenSSL 1.0 and keep the old ABI. If SONAME change is needed it is needed when linking libcurl with libssl1.0.2 too. (But when linking libcurl with libssl1.0.2 more applications are affected due to the need of explicit initialization.)
