On Monday, 14 November 2016 05:03:45 CET Ondřej Surý wrote: > > Looking at mod_ssl_openssl.h and the comment in #828330, > > I'd suggest the change below to add a dependency on libssl1.0-dev > > to apache2-dev. > > And that exactly happens meaning that PHP 7.0 can no longer be built > unless all it's build-depends (including PHP 7.0) and rdepends move to > libssl1.0-dev as well. > > So a nice deadlock, right? To be honest I would rather have a slightly > less tested apache2 with OpenSSL 1.1.0 and iron out the bugs as we go > than revert all the work I have done.
I must admit that I did not think of php when doing that change, sorry. On the other hand, shibboleth-sp2 also build-depends on apache2-dev and there have been some indications that shibboleth won't be switching to openssl 1.1 for stretch. See https://lists.debian.org/debian-release/2016/11/msg00024.html I agree with Ondřej that this will get very entangled. There will be one big dependency-blob that contains most complex packages and can only be transitioned together. And a few leaf packages that can be transitioned easily. For example, subversion also build-depends on apache, and kde build- depends on subversion. Though libsvn-dev does not depend on apache2-dev, so maybe this is not actually a problem. > I reviewed the patch Kurt has provided and I don't see any strong reason > why anything should break. With Kurt's patch, apache2 crashes on startup with an invalid free. On the other hand, the patch from the upstream 2.4.x-openssl-1.1.0-compat branch seems to work at first glance and does not cause any regression in the test suite. So if we are going to have apache with openssl 1.1, it's going to be the upstream patch. But we first need to figure out what to do with shibboleth-sp2 . My preference would be to make openssl 1.0 provide libssl-dev again and only have a few simple packages opt-in to using libssl1.1-dev. Cheers, Stefan