[csw-maintainers] At least Openssl 1.0 !

Yann Rouillard yann at pleiades.fr.eu.org
Sat May 12 19:50:17 CEST 2012


Unbelievable ! Openssl 1.0 packages are close to be on their way to the
OpenCSW repository.

You will find openssl 1.0.1c packages in my experimental repository:
    yes | pkgrm CSWopenssl-utils CSWlibssl-dev
    pkgutil -t http://buildfarm.opencsw.org/opencsw/experimental/yann -i
openssl_utils libssl_dev libssl1_0_0

Before releasing them, I would welcome additional testing from other
members and in particular, build tests with these new libraries.
I already rebuild my own packages (openssh, vsftpd, lftp) to ensure there's
no build and execution problem.

I updated the PKCS11 patch so these libraries should still take advantage
of sparc crypto capabilites if you enable the pkcs11 engine.
I am working on integrating the T4 and aesni crypto acceleration support
but it would be in a later build (and it seems solaris 11 specific).


Some notes concerning the migration:

  - libssl_dev will be replaced with the 1.0.1c version so once it will be
installed on the buildfram, all subsequent will be linked with libssl 1.0
    and it will be not possible anymore to build against libssl 0.9.8
    There doesn't seem to be API incompatibility and the same choice has
been done by other distro, but this is the reason why I would
    welcome additional build tests so I can be certain.


  - libssl 0.9.8 will of course still be there (and maintained), it can be
installed alongside libssl 1.0.
    Starting with libssl 1.0, the SSL engines directory has been moved in a
versioned directory so we don't have filenames clash.

    However, within a month or two, I will start to fill bug against
packages linked with libssl 0.9.8 to ask for a rebuild with libssl 1.0.


  - libssl relies on system-wide hash symbolic links located in
/etc/opt/csw/ssl/certs to verify certificates (provided by the
ca_certificates packages under OpenCSW).
 Unfortunately, the hash system has changed between 0.9.8 and 1.0, the
ca_certificates package and the c_rehash script (used to generate the
symlinks) have been
 modified to always generate the old and the new hash symlinks. There is
clash risk but it should be low.
 - I don't plan on updating the openssl package so that it depends on
libssl 1.0. This package is a legacy of a time where there was a unique
package containing libraries, development files and the openssl tools. Packages
should no longer depend on this package and I prefer to drop it the day we
will remove libssl 0.9.8 from the repository.


Thanks in advance for any comment and feedback,

Yann
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opencsw.org/pipermail/maintainers/attachments/20120512/5d586241/attachment.html>


More information about the maintainers mailing list