Bug#828236: Bug#844160: openssl 1.1 and apache2

2016-11-14 Thread Russ Allbery 
Stefan Fritsch  writes:

> I must admit that I did not think of php when doing that change, sorry. 

> On the other hand, shibboleth-sp2 also build-depends on apache2-dev and there 
> have been some indications that shibboleth won't be switching to openssl 1.1 
> for stretch. See https://lists.debian.org/debian-release/2016/11/msg00024.html

It turns out that Shibboleth will be okay if Apache goes to 1.1.  The
Shibboleth code that goes into Apache is isolated from the OpenSSL use
inside Shibboleth, so we can keep building Shibboleth against 1.0 and
Apache can go to 1.1 and all the pieces are happy.  (The OpenSSL work is
done in a separate daemon, shibd, that the Apache module talks to.)

(Not that this solves all the problems, but just FYI.)

-- 
Russ Allbery (r...@debian.org)

Bug#828236: Bug#844160: openssl 1.1 and apache2

2016-11-14 Thread Stefan Fritsch 
On Monday, 14 November 2016 05:03:45 CET Ondřej Surý wrote:
> > Looking at mod_ssl_openssl.h and the comment in #828330,
> > I'd suggest the change below to add a dependency on libssl1.0-dev
> > to apache2-dev.
> 
> And that exactly happens meaning that PHP 7.0 can no longer be built
> unless all it's build-depends (including PHP 7.0) and rdepends move to
> libssl1.0-dev as well.
> 
> So a nice deadlock, right? To be honest I would rather have a slightly
> less tested apache2 with OpenSSL 1.1.0 and iron out the bugs as we go
> than revert all the work I have done.

I must admit that I did not think of php when doing that change, sorry. 

On the other hand, shibboleth-sp2 also build-depends on apache2-dev and there 
have been some indications that shibboleth won't be switching to openssl 1.1 
for stretch. See https://lists.debian.org/debian-release/2016/11/msg00024.html

I agree with Ondřej that this will get very entangled. There will be one big 
dependency-blob that contains most complex packages and can only be 
transitioned together. And a few leaf packages that can be transitioned 
easily. For example, subversion also build-depends on apache, and kde build-
depends on subversion. Though libsvn-dev does not depend on apache2-dev, so 
maybe this is not actually a problem.

> I reviewed the patch Kurt has provided and I don't see any strong reason
> why anything should break.

With Kurt's patch, apache2 crashes on startup with an invalid free. On the 
other hand, the patch from the upstream 2.4.x-openssl-1.1.0-compat branch 
seems to work at first glance and does not cause any regression in the test 
suite. So if we are going to have apache with openssl 1.1, it's going to be 
the upstream patch. 

But we first need to figure out what to do with  shibboleth-sp2 . 

My preference would be to make openssl 1.0 provide libssl-dev again and only 
have a few simple packages opt-in to using libssl1.1-dev.

Cheers,
Stefan