(Resending to fix the mail headers, sorry. Please reply to this one, not the previous one.)
Hi. You're receiving this mail because you fall into one or more of the following categories: * Are associated with the curl package (To) * Have been involved in discussions I found in the BTS about libcurl and openssl 1.1 (CC), eg in #850880 or #844018 * Maintain a package which calls CURLOPT_SSL_CTX_FUNCTION (CC, "CURLOPT_SSL_CTX_FUNCTION callers") * Are the Release Team (To, see bullet point 3 below) We really need to migrate libcurl to openssl 1.1. This is #858398, which has not seen activity from any libcurl maintainers. I am listed as an Uploader for curl but I haven't done a curl upload and don't really understand the issues well. But, as far as I understand it, the right thing to do is just to change the build-dependencies. I have prepared a patch to do this and intend to upload it to sid on Sunday unless someone explains to my why it's a bad idea. See below. Reasons I am aware that it *might* be a bad idea are: 1. libcurl exposes parts of the openssl ABI, via CURLOPT_SSL_CTX_FUNCTION, and this would be an implicit ABI break without libcurl soname change. This is not good, but it seems like the alternative would be to diverge our soname from everyone else's for the same libcurl. 2. For the reason just mentioned, it might be a good idea to put in a Breaks against old versions of packages using CURLOPT_SSL_CTX_FUNCTION. However, (a) I am not sure if this is actually necessary (b) in any case I don't have a good list of all the appropriate versions (c) maybe this would need coordination. 3. This might be an implicit a "transition" (in the Debian release management sense) which I would be mishandling, or starting without permission, or something. 4. Perhaps not all of libcurl's rdepends can cope with openssl 1.1. However, now is a good time to break them so we discover them and can fix them. It seems to me that now is a good time in the Buster release cycle to take all these risks. If you think uploading this on Sunday would be a bad idea please let me know ASAP. This issue has been festering and obviously we should fix #858398 which is RC for libcurl, but nevertheless I'm prepared to wait a bit longer because (i) I'm not confident I know what I'm doing (ii) I don't think these issues have necessarily been explored properly. If someone else has a better understanding I would be quite happy to hand this issue over to someone else. Failing that, any contribution of relevant facts, opinions, suggestions, etc. would be very welcome. Thanks, Ian. >From 87df3380466355ac58572f5bff93734624fc214a Mon Sep 17 00:00:00 2001 From: Ian Jackson <ijack...@chiark.greenend.org.uk> Date: Thu, 23 Nov 2017 12:49:08 +0000 Subject: [PATCH] Change build-depends to list libssl-dev first. Outcome in sid/buster is to switch to openssl 1.1. I am not changing the soname despite the implied change to the libcurl ABI, because we don't want to make our libcurl have a nonstandard soname. --- debian/changelog | 9 +++++++++ debian/control | 4 ++-- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/debian/changelog b/debian/changelog index d5bb5791..f2413cdd 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +curl (7.56.1-2) unstable; urgency=low + + * Change build-depends to list libssl-dev first. Outcome in sid/buster + is to switch to openssl 1.1. I am not changing the soname despite the + implied change to the libcurl ABI, because we don't want to make our + libcurl have a nonstandard soname. + + -- Ian Jackson <ijack...@chiark.greenend.org.uk> Thu, 23 Nov 2017 12:48:48 +0000 + curl (7.56.1-1) unstable; urgency=medium * New upstream release diff --git a/debian/control b/debian/control index 0871ade6..20b33f42 100644 --- a/debian/control +++ b/debian/control @@ -18,7 +18,7 @@ Build-Depends: debhelper (>= 9.20141010~), libpsl-dev, librtmp-dev (>= 2.4+20131018.git79459a2-3~), libssh2-1-dev, - libssl1.0-dev | libssl-dev (<< 1.1), + libssl-dev | libssl1.0-dev, libtool, openssh-server <!nocheck>, python:native, @@ -130,7 +130,7 @@ Suggests: libcurl4-doc, libldap2-dev, librtmp-dev, libssh2-1-dev, - libssl1.0-dev | libssl-dev (<< 1.1), + libssl-dev | libssl1.0-dev, pkg-config, zlib1g-dev Multi-Arch: same -- 2.11.0 -- Ian Jackson <ijack...@chiark.greenend.org.uk> These opinions are my own. If I emailed you from an address @fyvzl.net or @evade.org.uk, that is a private address which bypasses my fierce spamfilter.
