2017-02-19 4:16 GMT+05:00 David Sommerseth <
open...@sf.lists.topphemmelig.net>:
> On 18/02/17 08:34, Илья Шипицин wrote:
> > I added openssl-1.0.1e to test matrix (do not pay attention to
> > commit title, it happened accidently from iPad), so ...
> >
> > https://travis-ci.org/OpenVPN/openvpn/jobs/202709493
> >
> > t_cltsrv.sh + openssl-1.0.1f = OK
> > t_cltsrv.sh + openssl-1.0.1e = FAIL
>
> Okay, lets get a few important details straight first. When I spoke
> about openssl-1.0.1e, it was in an RHEL context (including CentOS and
> Scientific Linux). In reality, that is not the same version as OpenSSL
> upstream 1.0.1e. Red Hat employs people to backport bugfixes and
> security fixes from newer OpenSSL 1.0.x releases to 1.0.1e. So the
> OpenSSL _baseline_ is 1.0.1e [1]. But it must not be compared directly
> against v1.0.1e from openssl.org. The baseline defines a /stable ABI/
> (Application Binary Interface) which applications linking against the
> library can rely on. This is what makes RHEL and the clones so stable
> over 7-10++ years. And this is the challenge backporters in Red Hat
> struggle with; not breaking applications which works.
>
> So unless I have misunderstood your travis commit ... you set the
> version to 1.0.1e regardless of Linux distribution. This itself does
> not provide any real value for us. As there are a lot of bugfixes and
> security implemented in the OpenSSL package RHEL ships ... you can get
> an idea by looking at the changelog of the openssl RPM package:
> <https://git.centos.org/blob/rpms!!openssl/1c5d99a56e70d3f668fd69f148538c
> 635dd990d6/SPECS!openssl.spec#L642>
>
> RHEL6 was released in May 2010 while RHEL7 in June 2014. What you see
> above is the changelog for RHEL7. If my count is correct, that is
> currently 127 patches *on top of* the upstream OpenSSL v1.0.1e. I
> wouldn't expect this patch list to be much longer on RHEL 6 though.
>
> So unless your travis script is clever enough to only test OpenSSL
> v1.0.1e on RHEL, CentOS or ScientificLinux *or* build OpenSSL using the
> CentOS source RPM ... then I am not surprised things may fail. Red Hat
> may very well have fixed some bugs which we're hitting.
>
well, RedHat not only ship their very own openssl, but also their own
openvpn package
https://dl.fedoraproject.org/pub/epel/7/SRPMS/o/
I see, there's %check section, but it is commented. Not sure how thay test
it. We should get in touch with redhat people if we want openvpn properly
tested and packaged
I'll have a look at 'make check' under centos later
>
>
> --
> kind regards,
>
> David Sommerseth
> OpenVPN Technologies, Inc
>
>
>
>
> [1] The reason is that all the _baseline_ packages in major RHEL
> releases are certified against a lot of hardware (IBM, HP, Dell,
> EMC, NetApp, etc, etc) and third party software (SAP, Oracle, etc,
> etc). So rebasing is out of question, as that requires new, time
> consuming and expensive re-certifications. Which is why you
> extremely seldom see version updates on packages. Those few times
> that happens, it is usually considered to not break any important
> certifications. Like, a SAP server installation probably don't
> have any dependencies against the GNOME 3 packages.
>
>
>
>
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
