On 01/03/18 22:31, Alessandro Ghedini wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian....@packages.debian.org
> Usertags: transition
> Hello,
> I'd like to request a transition for curl in order to unblock the migration
> to OpenSSL 1.1 (#871056).


> This is necessary due to the fact that the curl ABI
> exposes a structure inherited from libssl itself, which was changed in the 1.1
> update (see #844018 for more information).
> It is for the most part a clean ABI bump, however a few packages that build
> depend on both libcurl and libssl will need source uploads so they can also
> migrate to OpenSSL 1.1. The following packages were identified as part of the
> discussion in #858398:
> * hhvm: #858927 (sid-only)
> * lastpass-cli: #858991 
> * libapache2-mod-auth-cas: 858992
> * netsurf: #859230
> * xmltooling: #859831
> * zurl: #859841

xmltooling / Shibboleth / xml-security-c don't seem ready yet. Apparently there
are patches upstream but there have been no new releases and they are not easy
to backport. I suppose at some point we'll need to stop blocking on them. They
can be fixed later and re-enter testing when that happens, there's still plenty
of time before the freeze.

Also zurl seems to need Qt with openssl 1.1, which is only in experimental atm.
That shouldn't be a blocker for this though (we can temporarily kick it from
testing if necessary). But let's wait a bit and see.

> The updated curl package (7.58.0-3) has been uploaded and accepted in
> experimental. The full changeset (from Steve Langasek) can be found at:
> https://salsa.debian.org/debian/curl/merge_requests/3/diffs
> The auto-generated tracker (which looks correct) is:
> https://release.debian.org/transitions/html/auto-curl.html

It doesn't. There are false positives due to e.g. libcurl3-gnutls and
libcurl4-gnutls-dev matching is_good / is_bad respectively. I'll see if I can
come up with a better regexp later today.


Reply via email to