On Mon, Nov 14, 2016, at 08:21, Adrian Bunk wrote: > On Mon, Nov 14, 2016 at 05:03:45AM +0100, Ondřej Surý wrote: > > > Looking at mod_ssl_openssl.h and the comment in #828330, > > > I'd suggest the change below to add a dependency on libssl1.0-dev > > > to apache2-dev. > > > > And that exactly happens meaning that PHP 7.0 can no longer be built > > unless all it's build-depends (including PHP 7.0) and rdepends move to > > libssl1.0-dev as well. > > > > So a nice deadlock, right? To be honest I would rather have a slightly > > less tested apache2 with OpenSSL 1.1.0 and iron out the bugs as we go > > than revert all the work I have done. > > > > I reviewed the patch Kurt has provided and I don't see any strong reason > > why anything should break. > >... > > Can you guarantee that rdeps of Apache can use 1.0.2 in stretch when > Apache itself uses 1.1?
Why? > That is the most important question here. No, I think the question is: Can we migrate (or drop) all rdeps to 1.0.2? > This is what my "mod_ssl_openssl.h and the comment in #828330" > was referring to. > > The dual 1.0.2/1.1 setup for stretch can only work when any set of > packages in the archive that needs the same OpenSSL version stays > at 1.0.2 unless *all* packages in this set are compiling and working > fine with 1.1 The *set* you are talking probably cover whole archive, since the Build-Depends of PHP are quite vast and here are the Build-Depends of Build-Depends: (This is from stretch, not from unstable) apache2-dev libssl-dev (>= 0.9.8m) libc-client2007e-dev libssl-dev libcurl4-openssl-dev libssl-dev libevent-dev libssl-dev libkrb5-dev libssl-dev libpq-dev libssl-dev libsasl2-dev libssl-dev libsnmp-dev libssl-dev (>> 0.9.8) Greping just Depends: on -dev packages is slightly more optimistic: apache2-dev libssl-dev (<< 1.1) libc-client2007e-dev libssl-dev libpq-dev libssl-dev libsnmp-dev libssl-dev But ultimately I am afraid that libssl dependencies are so entagled that it will cover all archive. > And since the OpenSSL version used is part of the libcurl3 ABI > (see #844018 for details), using 1.1 in stretch is anyway not > really an option for Apache/PHP in stretch. What you are really saying is that using OpenSSL 1.1 is generally not an option for stretch. Cheers, -- Ondřej Surý <ond...@sury.org> Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server Knot Resolver (https://www.knot-resolver.cz/) – secure, privacy-aware, fast DNS(SEC) resolver Vše pro chleba (https://vseprochleba.cz) – Mouky ze mlýna a potřeby pro pečení chleba všeho druhu
