subject:"Bug#844263\: libxml\-security\-c\-dev\: depending on libssl1.0\-dev breaks open\-vm\-tools"

Bug#844263: libxml-security-c-dev: depending on libssl1.0-dev breaks open-vm-tools

2016-12-06 Thread Ferenc Wágner

Sam Hartman  writes:

> can we (Debian) support SSL 1.1 with Shibboleth?
> That is, are the patches something you're comfortable integrating as
> Debian?

I haven't seen the latest iteration of the Santuario compatibility
patches yet.  Judging by the earlier glimpses, they are quite big and
require several memory management changes and at least one logic change.
But they are backed by tests and they are the result of a big chunk of
careful work.  If we weren't talking about security software, I'd have
no objections...  If upstream released the compatible code (not the
current patch set, which has divergent code paths at more places than
necessary) soon, even without changing to OpenSSL 1.1, that would also
help, because the compatibility defines and functions are provided by
the OpenSSL porting guide and the maintenance/support areas stayed well
separated for upstream and Debian.  I'd still welcome reviewers, though,
please don't let me do this alone.

But I still think it would be better to provide libcurl4-openssl1.0-dev
somehow.  Curl already provides several flavours (for OpenSSL, NSS and
GnuTLS), though extending this to OpenSSL 1.0 isn't readily possible
because libssl1.0-dev conflicts with libssl-dev.  Curl maintainers
(Cc-ed), do you think you could pull this off?
-- 
Thanks,
Feri

Bug#844263: libxml-security-c-dev: depending on libssl1.0-dev breaks open-vm-tools

2016-12-05 Thread Sam Hartman

So,
can we (Debian) support SSL 1.1 with Shibboleth?
That is, are the patches something you're comfortable integrating as
Debian?

Bug#844263: libxml-security-c-dev: depending on libssl1.0-dev breaks open-vm-tools

2016-12-04 Thread Cantor, Scott

On 12/4/16, 4:00 PM, "Ferenc Wagner,,, on behalf of Ferenc Wágner" 
 wrote:

> Sure you did, and nobody blames you (I hope my mail didn't come through
> like that).

No, it didn't.

Didn't Debian at one time support simultaneous installation of libcurl built on 
both NSS and OpenSSL? Can't they just provide a libcurl for both OpenSSL 
versions, with appropriate naming changes?

-- Scott

Bug#844263: libxml-security-c-dev: depending on libssl1.0-dev breaks open-vm-tools

2016-12-04 Thread Ferenc Wágner

"Cantor, Scott"  writes:

> Didn't Debian at one time support simultaneous installation of libcurl
> built on both NSS and OpenSSL?

It still does.

> Can't they just provide a libcurl for both OpenSSL versions, with
> appropriate naming changes?

I think that would be possible, and I even brought it up in
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828608#25, but didn't
want to push it too hard before the dispute around the whole transition
settled.  Well, it ceased by now, but I can't find the conclusion, thus
my query... as https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=844018
seems stuck as well.
-- 
Feri

Bug#844263: libxml-security-c-dev: depending on libssl1.0-dev breaks open-vm-tools

2016-12-04 Thread Ferenc Wágner

"Cantor, Scott"  writes:

> On 12/4/16, 11:09 AM, wf...@niif.hu wrote:
>
>> I can't see any conclusion in the OpenSSL 1.1 thread on debian-devel,
>> but we're running out of time.  We can't keep XMLTooling at OpenSSL
>> 1.0, because libcurl uses 1.1, but we can't switch to 1.1 either,
>> because the latest upstream release doesn't support it yet.  Have we
>> got any option left to ship Shibboleth in stretch after all?
>
> I'm pretty sure I expressed disbelief that Debian was going to move to
> 1.1 this quickly when I got wind of it, and that there was no chance
> we (the Shibboleth Project) would be able to support it that quickly.

Sure you did, and nobody blames you (I hope my mail didn't come through
like that).  I was inquiring other Debian project members, whether they
know why that fairly heated discussion died off so abruptly a week ago,
and what we should aim for now, a month before the stretch freeze.
-- 
Regards,
Feri

Bug#844263: libxml-security-c-dev: depending on libssl1.0-dev breaks open-vm-tools

2016-12-04 Thread Cantor, Scott

On 12/4/16, 11:09 AM, "Pkg-shibboleth-devel on behalf of Ferenc Wágner" 
 wrote:

> I can't see any conclusion in the OpenSSL 1.1 thread on debian-devel,
>but we're running out of time.  We can't keep XMLTooling at OpenSSL 1.0,
>because libcurl uses 1.1, but we can't switch to 1.1 either, because the
>latest upstream release doesn't support it yet.  Have we got any option
>left to ship Shibboleth in stretch after all?

I'm pretty sure I expressed disbelief that Debian was going to move to 1.1 this 
quickly when I got wind of it, and that there was no chance we (the Shibboleth 
Project) would be able to support it that quickly.

-- Scott

Bug#844263: libxml-security-c-dev: depending on libssl1.0-dev breaks open-vm-tools

2016-12-04 Thread Ferenc Wágner

Russ Allbery  writes:

> wf...@niif.hu (Ferenc Wágner) writes:
>
>> Just adding that Shibboleth itself is also problematic, because
>> XMLTooling, which is incompatible with OpenSSL 1.1, uses libcurl,
>> which already switched to OpenSSL 1.1.  So switching xml-security-c
>> to OpenSSL 1.0 did not actually solve the problem for Shibboleth
>> because of the above version clash in XMLTooling.  Shall I bring it
>> up with the curl maintainers?  Or wait for the conclusion on
>> debian-devel?
>
> This seems like something we're going to have to figure out
> project-wide, since the way the transition is currently set up doesn't
> seem likely to work.

Hi,

I can't see any conclusion in the OpenSSL 1.1 thread on debian-devel,
but we're running out of time.  We can't keep XMLTooling at OpenSSL 1.0,
because libcurl uses 1.1, but we can't switch to 1.1 either, because the
latest upstream release doesn't support it yet.  Have we got any option
left to ship Shibboleth in stretch after all?
-- 
Thanks,
Feri

Bug#844263: libxml-security-c-dev: depending on libssl1.0-dev breaks open-vm-tools

2016-11-15 Thread Bernd Zeimetz

hi,

so as it seems either my mirror was lagging or my cowbuilder failed on
the update - but with the recent upload of libxml-security-c-dev using
1.0 I can build open-vm-tools. which will work for now - as long as no
other dependency hell will arise.

best regards,

bernd

-- 
 Bernd ZeimetzDebian GNU/Linux Developer
 http://bzed.dehttp://www.debian.org
 GPG Fingerprint: ECA1 E3F2 8E11 2432 D485  DD95 EB36 171A 6FF9 435F

Bug#844263: libxml-security-c-dev: depending on libssl1.0-dev breaks open-vm-tools

2016-11-14 Thread Cantor, Scott

> It's worth noting that Apache also requires OpenSSL 1.0, which may also
> affect what the Shibboleth stack can link against.

No, that code is isolated into shibd, mod_shib doesn't link to it. That was 
deliberate of course, for exactly this reason.

There are edge cases. If you link Xerces to libcurl as a netaccessor, that can 
link in openssl and impact mod_shib. Otherwise, not generally.

-- Scott

Bug#844263: libxml-security-c-dev: depending on libssl1.0-dev breaks open-vm-tools

2016-11-14 Thread Russ Allbery

wf...@niif.hu (Ferenc Wágner) writes:

> Just adding that Shibboleth itself is also problematic, because
> XMLTooling, which is incompatible with OpenSSL 1.1, uses libcurl, which
> already switched to OpenSSL 1.1.  So switching xml-security-c to OpenSSL
> 1.0 did not actually solve the problem for Shibboleth because of the
> above version clash in XMLTooling.

It's worth noting that Apache also requires OpenSSL 1.0, which may also
affect what the Shibboleth stack can link against.

> Shall I bring it up with the curl maintainers?  Or wait for the
> conclusion on debian-devel?

This seems like something we're going to have to figure out project-wide,
since the way the transition is currently set up doesn't seem likely to
work.

-- 
Russ Allbery (r...@debian.org)

Bug#844263: libxml-security-c-dev: depending on libssl1.0-dev breaks open-vm-tools

2016-11-14 Thread Ferenc Wágner

Russ Allbery  writes:

> Bernd Zeimetz  writes:
>
>> unfortunately your decision to depend on libssl1.0-dev breaks the build
>> open-vm-tools as most other build-dependencies decided to migrate to
>> the new openssl version.
>
>> I know that shibboleth is the issue, but the current situation breaks
>> open-vm-tools, which is a requirement if you want to run Debian on
>> vmware - and there are *loads* of installations out there.
>
> Well, my understanding is that xml-security-c doesn't support OpenSSL 1.1
> upstream, the porting is not trivial, and will not be completed in the
> release time frame.  So I'm not sure there's any other alternative.
>
> Whatever dependencies that were pushing open-vm-tools to 1.1 may have to
> be reverted back to 1.0.

Just adding that Shibboleth itself is also problematic, because
XMLTooling, which is incompatible with OpenSSL 1.1, uses libcurl, which
already switched to OpenSSL 1.1.  So switching xml-security-c to OpenSSL
1.0 did not actually solve the problem for Shibboleth because of the
above version clash in XMLTooling.  While I've got the patches porting
xml-security-c and XMLTooling to OpenSSL 1.1, they aren't integrated
into upstream yet (and probably won't ever be in their current form).
So at least libcurl will have to be switched back to OpenSSL 1.0, or
the Shibboleth stack will see serious trouble.  Shall I bring it up with
the curl maintainers?  Or wait for the conclusion on debian-devel?
-- 
Thanks,
Feri

Bug#844263: libxml-security-c-dev: depending on libssl1.0-dev breaks open-vm-tools

2016-11-13 Thread Russ Allbery

Bernd Zeimetz  writes:

> unfortunately your decision to depend on libssl1.0-dev breaks the build
> open-vm-tools as most other build-dependencies decided to migrate to
> the new openssl version.

> I know that shibboleth is the issue, but the current situation breaks
> open-vm-tools, which is a requirement if you want to run Debian on
> vmware - and there are *loads* of installations out there.

Well, my understanding is that xml-security-c doesn't support OpenSSL 1.1
upstream, the porting is not trivial, and will not be completed in the
release time frame.  So I'm not sure there's any other alternative.

Whatever dependencies that were pushing open-vm-tools to 1.1 may have to
be reverted back to 1.0.

-- 
Russ Allbery (r...@debian.org)

Bug#844263: libxml-security-c-dev: depending on libssl1.0-dev breaks open-vm-tools

2016-11-13 Thread Bernd Zeimetz

Package: libxml-security-c-dev
Version: 1.7.3-4
Severity: serious

Hi,

unfortunately your decision to depend on libssl1.0-dev breaks the build
open-vm-tools as most other build-dependencies decided to migrate to
the new openssl version.

I know that shibboleth is the issue, but the current situation breaks
open-vm-tools, which is a requirement if you want to run Debian on
vmware - and there are *loads* of installations out there.

Thanks,

Bernd

-- 
 Bernd ZeimetzDebian GNU/Linux Developer
 http://bzed.dehttp://www.debian.org
 GPG Fingerprint: ECA1 E3F2 8E11 2432 D485  DD95 EB36 171A 6FF9 435F

Bug#844263: libxml-security-c-dev: depending on libssl1.0-dev breaks open-vm-tools

Bug#844263: libxml-security-c-dev: depending on libssl1.0-dev breaks open-vm-tools

Bug#844263: libxml-security-c-dev: depending on libssl1.0-dev breaks open-vm-tools

Bug#844263: libxml-security-c-dev: depending on libssl1.0-dev breaks open-vm-tools

Bug#844263: libxml-security-c-dev: depending on libssl1.0-dev breaks open-vm-tools

Bug#844263: libxml-security-c-dev: depending on libssl1.0-dev breaks open-vm-tools

Bug#844263: libxml-security-c-dev: depending on libssl1.0-dev breaks open-vm-tools

Bug#844263: libxml-security-c-dev: depending on libssl1.0-dev breaks open-vm-tools

Bug#844263: libxml-security-c-dev: depending on libssl1.0-dev breaks open-vm-tools

Bug#844263: libxml-security-c-dev: depending on libssl1.0-dev breaks open-vm-tools

Bug#844263: libxml-security-c-dev: depending on libssl1.0-dev breaks open-vm-tools

Bug#844263: libxml-security-c-dev: depending on libssl1.0-dev breaks open-vm-tools

Bug#844263: libxml-security-c-dev: depending on libssl1.0-dev breaks open-vm-tools

13 matches

Site Navigation

Mail list logo

Footer information