2017-02-19 9:48 GMT+05:00 Илья Шипицин <chipits...@gmail.com>:
>
>
> 2017-02-19 4:16 GMT+05:00 David Sommerseth <openvpn@sf.lists.
> topphemmelig.net>:
>
>> On 18/02/17 08:34, Илья Шипицин wrote:
>> > I added openssl-1.0.1e to test matrix (do not pay attention to
>> > commit title, it happened accidently from iPad), so ...
>> >
>> > https://travis-ci.org/OpenVPN/openvpn/jobs/202709493
>> >
>> > t_cltsrv.sh + openssl-1.0.1f = OK
>> > t_cltsrv.sh + openssl-1.0.1e = FAIL
>>
>> Okay, lets get a few important details straight first. When I spoke
>> about openssl-1.0.1e, it was in an RHEL context (including CentOS and
>> Scientific Linux). In reality, that is not the same version as OpenSSL
>> upstream 1.0.1e. Red Hat employs people to backport bugfixes and
>> security fixes from newer OpenSSL 1.0.x releases to 1.0.1e. So the
>> OpenSSL _baseline_ is 1.0.1e [1]. But it must not be compared directly
>> against v1.0.1e from openssl.org. The baseline defines a /stable ABI/
>> (Application Binary Interface) which applications linking against the
>> library can rely on. This is what makes RHEL and the clones so stable
>> over 7-10++ years. And this is the challenge backporters in Red Hat
>> struggle with; not breaking applications which works.
>>
>> So unless I have misunderstood your travis commit ... you set the
>> version to 1.0.1e regardless of Linux distribution. This itself does
>> not provide any real value for us. As there are a lot of bugfixes and
>> security implemented in the OpenSSL package RHEL ships ... you can get
>> an idea by looking at the changelog of the openssl RPM package:
>> <https://git.centos.org/blob/rpms!!openssl/1c5d99a56e70d3f66
>> 8fd69f148538c635dd990d6/SPECS!openssl.spec#L642>
>>
>> RHEL6 was released in May 2010 while RHEL7 in June 2014. What you see
>> above is the changelog for RHEL7. If my count is correct, that is
>> currently 127 patches *on top of* the upstream OpenSSL v1.0.1e. I
>> wouldn't expect this patch list to be much longer on RHEL 6 though.
>>
>> So unless your travis script is clever enough to only test OpenSSL
>> v1.0.1e on RHEL, CentOS or ScientificLinux *or* build OpenSSL using the
>> CentOS source RPM ... then I am not surprised things may fail. Red Hat
>> may very well have fixed some bugs which we're hitting.
>>
>
>
> well, RedHat not only ship their very own openssl, but also their own
> openvpn package
>
> https://dl.fedoraproject.org/pub/epel/7/SRPMS/o/
>
> I see, there's %check section, but it is commented. Not sure how thay test
> it. We should get in touch with redhat people if we want openvpn properly
> tested and packaged
>
> I'll have a look at 'make check' under centos later
>
make check
is ok under CentOS 7 (it is shipped with openssl-1.0.1e)
>
>
>>
>>
>> --
>> kind regards,
>>
>> David Sommerseth
>> OpenVPN Technologies, Inc
>>
>>
>>
>>
>> [1] The reason is that all the _baseline_ packages in major RHEL
>> releases are certified against a lot of hardware (IBM, HP, Dell,
>> EMC, NetApp, etc, etc) and third party software (SAP, Oracle, etc,
>> etc). So rebasing is out of question, as that requires new, time
>> consuming and expensive re-certifications. Which is why you
>> extremely seldom see version updates on packages. Those few times
>> that happens, it is usually considered to not break any important
>> certifications. Like, a SAP server installation probably don't
>> have any dependencies against the GNOME 3 packages.
>>
>>
>>
>>
>>
>>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
