[Pkg-net-snmp-devel] Bug#851946: Depending on libssl1.0-dev breaks PHP builds
Ondřej Surý
ondrej at debian.org
Mon Jan 23 09:18:58 UTC 2017
Niels,
do you think this might get resolved in time to make the freeze
deadline? I would like to enter freeze with up-to-date PHP version, so I
don't have to upload to testing-security right away ;)
Cheers,
--
Ondřej Surý <ondrej at sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
Knot Resolver (https://www.knot-resolver.cz/) – secure, privacy-aware,
fast DNS(SEC) resolver
On Sun, Jan 22, 2017, at 08:37, Niels Thykier wrote:
> Sebastian Andrzej Siewior:
> > On 2017-01-20 21:36:00 [+0000], Niels Thykier wrote:
> >> Hi Ondřej,
> >>
> >> Sorry for being the "messenger" triggering this issue in php7.0.
> >>
> >> Kurt/Sebastian, what are you recommendations here? Should we migrate
> >> net-snmp itself to ssl1.1 (possibly with all of its rdeps) or can we
> >> detangle net-snmp and php7 from each other in a graceful manner?
> >
> > [...] I grep the deps [0] and didn't find a user of
> > cert_util.h so it looks like nobody cares about that.
> >
>
> Thanks. :)
>
> Codesearch also appears to agree with this (assuming we are only looking
> at rdeps). :) Internally, snmp appears to have a few uses of it.
>
> > I would suggest to drop the the libssl1.0-dev dep in libsnmp-dev and add
> > a guard cert_util.h to ensure openssl's version is less than 1.1.0 in
> > case someone tries to use this on its own.
>
> The header file is used internally by snmp, so this change implies
> upgrading snmp to ssl1.1. All in all, we need to:
>
> * Apply the patch in #828449
>
> * Remove "libssl1.0-dev | libssl-dev (<< 1.1)" from Depends and add a
> "libssl-dev" to Suggests in the the "-dev" package?
>
> * Add an "#if"-guard rejecting ssl1.0 in the cert_util.h file.
> (Can you provide me with an example/patch for the guard?)
>
> > I will try to make that change tomorrow and rebuild the packages [0].
> >
> > [...]
>
> Thanks. Let me know how it goes. I am happy to do the upload if your
> test says go and you can provide me with the "#if"-guard. (apparently,
> net-snmp also needs an unrelated patch for pie - see #852023)
>
>
> Thanks,
> ~Niels
>
>
More information about the Pkg-net-snmp-devel
mailing list