On Tue, Nov 01, 2016 at 11:26:15PM +0100, Cyril Brulebois wrote: > Hi, > > Just random thoughts… > > Kurt Roeckx <k...@roeckx.be> (2016-11-01): > > I just uploaded OpenSSL 1.1.0 to unstable. There are still many > > packages that fail to build using OpenSSL 1.1.0. For most packages > > it should be easy to migrate 1.1.0. The most common problems when > > going to OpenSSL 1.1.0 are: > > - configure trying to detect a function that's now a macro. > > - Accessing members of structures that have now become opaque. You > > now need to use function to get or set them. > > > > The changes required are ussually very easy and do not take a long > > time to implement. > > > > Many upstream projects have already done the work or are working > > on it. Fedora is also doing the OpenSSL 1.1.0 migration. So both > > places are a good place to look at to see if they have already > > done the work. > > > > There might also be packages for which the changes are more > > involved and that can't be fixed in time for the release. If you > > want to stay with OpenSSL 1.0.2 you need to change your Build-Depends > > from libssl-dev to libssl1.0-dev. > > > > I would like to encourage that at least the packages that are > > making use of libssl and not just libcrypto move to OpenSSL 1.1.0 > > because it contains important new features. It adds support for > > among other things of: > > - Extended master secret: This fixes the triple handshake problem > > in TLS. > > - Chacha20-poly1305 > > - X25519 > > Things that work fine for this kind of transitions (hello, new gcc > upstream releases) include: > - pointers to upstream release notes; > - pointers to porting guides;
All the filed bugs already contain a link to the porting guide. > - pointers to existing patches for common fixes if the former don't > exist just yet (but then that would be a rather unprepared move). > > (Mentioning “many upstream projects” and “Fedora” is better than nothing > but isn't as helpful as what I've listed above.) > > > If you have any problems feel free to contact us. > > - are “you” <pkg-openssl-de...@lists.alioth.debian.org>? Yes. Kurt
