Package: libcurl3 Version: 7.51.0-1 Severity: serious Justification: Policy 8.1
Dear Maintainer, the curl ABI contains structs inherited from OpenSSL, e.g. in calls like: curl_easy_setopt(easy, CURLOPT_SSL_CTX_FUNCTION, &sslCtxFunction_cb); Here, sslCtxFunction_cb is a function which takes an SSL_CTX * as a parameter. (This is from zurl, one example of a package affected by this bug.) Since 7.51.0-1, curl links against OpenSSL 1.1 instead of OpenSSL 1.0 (implicitly caused by an update of libssl-dev, not by a change to the curl package). This changes the structure of SSL_CTX, which in turn changes the above mentioned ABI and breaks zurl (and possibly other packages). Such ABI changes require a SONAME change, according to policy 8.1, exactly to avoid breaking other packages which use the library. Therefore, please consider changing the SONAME (and the name of the binary package). Alternatively, build-depend on libssl1.0-dev, to link against OpenSSL 1.0 and keep the old ABI. (Set the severity to serious, to keep the package with the broken ABI from entering testing. IMHO this bug is a policy violation, but policy is not 100% clear here, as it only says 'the SONAME should change'. If you don't agree, please don't just lower the severity, but discuss the issue on debian-devel.) Thanks, Jan -- System Information: Debian Release: stretch/sid APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-rc4 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages libcurl3 depends on: ii libc6 2.24-5 ii libcomerr2 1.43.3-1 ii libgssapi-krb5-2 1.15~beta1-1 ii libk5crypto3 1.15~beta1-1 ii libkrb5-3 1.15~beta1-1 ii libldap-2.4-2 2.4.42+dfsg-2+b3 ii libnghttp2-14 1.16.0-1 ii librtmp1 2.4+20151223.gitfa8646d.1-1 ii libssh2-1 1.7.0-1 ii libssl1.1 1.1.0c-1 ii zlib1g 1:1.2.8.dfsg-2+b3 Versions of packages libcurl3 recommends: ii ca-certificates 20161102 libcurl3 suggests no packages. -- no debconf information
