[Pkg-openssl-devel] Bug#804487: Bug#804487: openssl_1.0.2d-3 breaks mumble and mumble-server after binNMU

Chris Knadle Chris.Knadle at coredump.us
Tue Mar 15 00:44:37 UTC 2016 

Mikkel Krautz:
> On Sun, Mar 13, 2016 at 9:20 PM, Chris Knadle <Chris.Knadle at coredump.us>
wrote:
>> Mikkel Krautz:
>>> On Sun, Mar 13, 2016 at 2:58 PM, Kurt Roeckx <kurt at roeckx.be> wrote:
>>>> I would also like to say again that if we can somehow see in the 
>>>> meta data that they are using libssl, they would get rebuild at the
>>>> same time and you wouldn't get into this situation that they are
>>>> using a different version.
>>> 
>>> My vote is also 100% for doing that. Preferably via
>>> '-openssl-linked'.
>> 
>> I'm building qt4-x11 with ./configure -openssl-linked with OpenSSL
>> 1.0.2d-1 now and will then build test versions of mumble with it to
>> verify what the behavior is.

I had trouble but managed to build qt4-x11 yesterday; the trouble was that
it requires 10 GB of space to accomplish, and the chroots I was using were
on the / filesystem on an SSD drive and repeatedly ran out of space; the
Debian buildd's showed the builds took 5.3 GB.  Then I got confused with all
the versions I have of Mumble in Git repos for testing this problem -- but
seems like I can stop the -openssl-linked testing here...

> I believe we found that -openssl-linked would not work for Qt in Debian
> because of potential license incompatibilities with OpenSSL. Basically,
> by using -openssl-linked, unsuspecting software that link to QtNetwork
> (but are not compatible with the OpenSSL license) will be implicitly
> linked to OpenSSL, and thus create binaries that cannot be 
> redistributed.

Wow, foiled at every turn!  How deep does this rabbit hole go?

Thanks for finding this.


Kurt Roeckx:
> On Mon, Mar 14, 2016 at 10:25:30PM +0100, Mikkel Krautz wrote:
>> Quoting Kurt Roeckx:
>>> I would also like to say again that if we can somehow see in the meta
>>> data that they are using libssl, they would get rebuild at the same
>>> time and you wouldn't get into this situation that they are using a
>>> different version.
>> 
>> Is this not possible without using -openssl-linked?
> 
> Maybe a Recommends in Qt?  But that's not picked up by the release team's
> transition tracker.  It could also just add a Depends ...
> 
> Maybe it's something you should ask the release team for input about?

Yep I agree.

I think I'd also like to contact the Security Team about whether having two
different copies of libssl/libcrypto dlopen()ed for a binary has any
security concerns.  I'm guessing not, but if there were it would help give
me justification for temporary breakage during the binNMU cycle for OpenSSL
upgrades with library renames.

  -- Chris

-- 
Chris Knadle
Chris.Knadle at coredump.us

More information about the Pkg-openssl-devel mailing list