Re: [arch-dev-public] OpenSSL 1.1.0

2017-02-23 Thread Baptiste Jonglez 
On Thu, Feb 23, 2017 at 10:29:17PM +0100, Christian Hesse wrote:
> > I will push the first set of packages to [staging]. Please avoid doing 
> > other rebuilds until this one is done.
> 
> Are you interested in details?

FWIW, Debian stretch has openssl 1.1.0, so I guess they had to adapt lots
of packages.

> Mariadb is still unsolved. There is a ticket in upstream jira [0] but it does
> not carry anything useful. There's a reference for a review, but I could not
> find the patch in mail archive. Will try to contact the developers and
> express our interest...

The debian package uses `-DWITH_SSL=bundled` [1] to avoid linking with the
system-wide openssl.  Not a great solution, though.

> Mupdf is a burden to maintain due to build system, bundled libraries and
> static linking. Looks like upstream is not yet interested in openssl 1.1.0...
> As I do not use it currently this will move to [community] if no one
> steps up. 

Can't you just drop the dependency on openssl?  What is it used for?
As far as I can tell, Debian does not build mupdf against openssl:

root@stretch:~# apt show mupdf
Package: mupdf
Version: 1.9a+ds1-4
Depends: libc6 (>= 2.15), libfreetype6 (>= 2.6), libharfbuzz0b (>= 0.9.11), 
libjbig2dec0 (>= 0.11), libjpeg62-turbo (>= 1.3.1), libopenjp2-7 (>= 2.0.0), 
libx11-6, libxext6, zlib1g (>= 1:1.2.0)
root@stretch:~# ldd /usr/lib/mupdf/mupdf-x11 | grep ssl
root@stretch:~# ldd /usr/lib/mupdf/mupdf-x11 | grep crypto
root@stretch:~#

I just tested building the package without openssl support (I had to patch
out references to openssl and libcrypto from Makerules, since openssl is
part of the base chroot when building), and it seems to work fine.

Baptiste

[1] https://packages.debian.org/stretch/libmariadbclient18



signature.asc
Description: PGP signature

Re: [arch-dev-public] OpenSSL 1.1.0

2017-02-23 Thread Antonio Rojas 
El Thu, 23 Feb 2017 22:29:17 +0100, Christian Hesse escribió:

> Mariadb is still unsolved. There is a ticket in upstream jira [0] but it
> does not carry anything useful. There's a reference for a review, but I
> could not find the patch in mail archive. Will try to contact the
> developers and express our interest...

In the meantime, is temporarily switching to internal yassl (as Debian 
does) an option? This is blocking all Qt rebuilds (which will also be a 
pain themselves), so it would be nice to have a build in staging soonish.

Re: [arch-dev-public] OpenSSL 1.1.0

2017-02-23 Thread Christian Hesse 
Pierre Schmitz  on Sat, 2017/02/11 09:32:
> On 29.01.2017 21:49, Pierre Schmitz wrote:
> > Hi,
> > 
> > I'd like to propose a migration to OpenSSL 1.1. The update comes with
> > ABI and API changes. Every linked packages needs to be rebuild. There
> > will likely be broken packages. Once the protobuf* rebuild has left
> > the [staging] repo I would like to upload a first set of OpenSSL 1.1
> > packages.
> > 
> > I have created a todo list of packages that either have a direct
> > dependency on openssl or link to libssl.so.1.0.0 or
> > libcrypto.so.1.0.0:
> >   https://www.archlinux.org/todo/openssl-110-rebuild/  
> 
> I will push the first set of packages to [staging]. Please avoid doing 
> other rebuilds until this one is done.

Are you interested in details?

I have a working version of openvpn, but it requires heavy patching. I will
wait for version 2.4.1 which has a lot of preparation (and with some luck is
ported completly). Will push an openssl rebuild then.
If anybody is interested... Raise your hands and let me know, I can provide
packages for testing.

Mariadb is still unsolved. There is a ticket in upstream jira [0] but it does
not carry anything useful. There's a reference for a review, but I could not
find the patch in mail archive. Will try to contact the developers and
express our interest...

Mupdf is a burden to maintain due to build system, bundled libraries and
static linking. Looks like upstream is not yet interested in openssl 1.1.0...
As I do not use it currently this will move to [community] if no one
steps up. 

[0] https://jira.mariadb.org/browse/MDEV-10332
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgpwfhRpfg3L2.pgp
Description: OpenPGP digital signature

Re: [arch-dev-public] Away on business next week

2017-02-23 Thread Christian Hesse 
Dave Reisner  on Thu, 2017/02/23 10:53:
> - core/curl: new release 7.53.0, but expect 7.53.1 in the next few days.
>   keep in mind there's an openssl rebuild in staging that complicates
>   this.

I took responsibility for this one.

> - core/systemd: expecting v233 to be released some time early next week.
>   I sort of don't want to be a part of this impending shitfest, even
>   after I return. As of right now, it's been 111 days and 1109 commits
>   since the last release. Expect bugs. I wouldn't package this right
>   away.

Yeah, let's see what breaks this time... :-P
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgpsIPKmPBoNl.pgp
Description: OpenPGP digital signature

Re: [arch-dev-public] Away on business next week

2017-02-23 Thread Felix Yan 
On 02/23/2017 11:53 PM, Dave Reisner wrote:
> - core/util-linux: maintenance release, 2.29.2. Don't forget to bump
>   multilib/lib32-util-linux if you touch this.
Bumped for CVE-2017-2616.

-- 
Regards,
Felix Yan



signature.asc
Description: OpenPGP digital signature