On Mon, Nov 14, 2016, at 08:44, Ondřej Surý wrote: > On Mon, Nov 14, 2016, at 08:21, Adrian Bunk wrote: > > On Mon, Nov 14, 2016 at 05:03:45AM +0100, Ondřej Surý wrote: > > > > Looking at mod_ssl_openssl.h and the comment in #828330, > > > > I'd suggest the change below to add a dependency on libssl1.0-dev > > > > to apache2-dev. > > > > > > And that exactly happens meaning that PHP 7.0 can no longer be built > > > unless all it's build-depends (including PHP 7.0) and rdepends move to > > > libssl1.0-dev as well. > > > > > > So a nice deadlock, right? To be honest I would rather have a slightly > > > less tested apache2 with OpenSSL 1.1.0 and iron out the bugs as we go > > > than revert all the work I have done. > > > > > > I reviewed the patch Kurt has provided and I don't see any strong reason > > > why anything should break. > > >... > > > > Can you guarantee that rdeps of Apache can use 1.0.2 in stretch when > > Apache itself uses 1.1? > > Why? > > > That is the most important question here. > > No, I think the question is: > > Can we migrate (or drop) all rdeps to 1.0.2?
I meant s/1.0.2/1.1.0/ > > This is what my "mod_ssl_openssl.h and the comment in #828330" > > was referring to. > > > > The dual 1.0.2/1.1 setup for stretch can only work when any set of > > packages in the archive that needs the same OpenSSL version stays > > at 1.0.2 unless *all* packages in this set are compiling and working > > fine with 1.1 > > The *set* you are talking probably cover whole archive, since the > Build-Depends of PHP are quite vast and here are the Build-Depends > of Build-Depends: > > (This is from stretch, not from unstable) > apache2-dev libssl-dev (>= 0.9.8m) > libc-client2007e-dev libssl-dev > libcurl4-openssl-dev libssl-dev > libevent-dev libssl-dev > libkrb5-dev libssl-dev > libpq-dev libssl-dev > libsasl2-dev libssl-dev > libsnmp-dev libssl-dev (>> 0.9.8) > > Greping just Depends: on -dev packages is slightly more optimistic: > > apache2-dev libssl-dev (<< 1.1) > libc-client2007e-dev libssl-dev > libpq-dev libssl-dev > libsnmp-dev libssl-dev > > But ultimately I am afraid that libssl dependencies are so entagled > that it will cover all archive. > > > And since the OpenSSL version used is part of the libcurl3 ABI > > (see #844018 for details), using 1.1 in stretch is anyway not > > really an option for Apache/PHP in stretch. > > What you are really saying is that using OpenSSL 1.1 is generally > not an option for stretch. > > Cheers, > -- > Ondřej Surý <ond...@sury.org> > Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server > Knot Resolver (https://www.knot-resolver.cz/) – secure, privacy-aware, > fast DNS(SEC) resolver > Vše pro chleba (https://vseprochleba.cz) – Mouky ze mlýna a potřeby pro > pečení chleba všeho druhu