Peter Tribble wrote:
Well, it's not *just* OpenSSL, but that was the main topic in the
thread.
Actually, my experience is that openssl is incredibly fragile.
If I build 0.9.7 myself and use my version then I have very few
problems, but building against the /usr/sfw version gave me a
lot of grief, and I've had no luck with 0.9.8 either.
Exactly what kind of problems. I would really like to know
what they are incase they are problems with how I setup the
build environment for OpenSSL. As you can see from the
OpenSolaris source we don't use the OpenSSL.org makefiles but
use ones I wrote. So it might all be my fault, but I'd like
to know so I can a) own up to it and b) fix it!
Why can't you as the person building the local software that needs
its own local version use your local copy ? Proper use of
ld(1) and ld.so.1(1) flags,config files and environment already
allow this.
Yes, I know. And I don't have any problems. And perhaps libssl
as a particular example would be safe - the dependency chain
isn't that complex. (Although the fragility and lack of
stability guarantees does worry me.)
Which is why it is External and why it is currently in /usr/sfw.
The interface stability is something to be take up with openssl.org
though, I don't think we in OpenSolaris can make a higher stability
commitment to it than they do. My general advice is that as long
as you stick to just the SSL and EVP api you are generally okay,
straying much out of that has in my experience caused issues
on later versions (binary and source).
Remember also that the end user typically has little control
over building software now that autoconf and friends try to
be "helpful".
Why doesn't this apply for other things /usr/lib or /lib ?
It does, of course. The desktop in particular puts an awful
lot of stuff into system locations to be picked up by other
applications. (The one I remember having a lot of grief with
was libxml2.)
but libxml2 is a critical component of Solaris used by SMF not
just something one particular desktop uses.
Do you do this on other platforms as well ? IIRC RedHat and SuSE
both ship OpenSSL's libssl and libcrypto in /usr/lib. So how is
this "problem" dealt with on systems like that ?
Well, I don't have access to any other platforms right now ;-)
I don't remember any particular problem with ssl from when I did
have RedHat boxes. Other problems came up - I still don't believe
that shoving everything into a single common location, giving it
a good stir, and hoping for the best, is particularly good practice.
My problem really is with libraries that don't have compatibility
built in. For an example of something that just works and doesn't
give problems, then look at X11. If only everything else were
that simple.
This is exactly why Sun (and thus Solaris and now OpenSolaris) has had
for a long time an interface taxonomy and the compatibility guarantee we
have for Solaris. We can't extend that out to everything but sometimes
Solaris needed to use things like OpenSSL itself hence the "External"
taxonomy - which means "The OpenSolaris community isn't in control of
the evolution of this interface and it may break in any type of release".
--
Darren J Moffat
_______________________________________________
opensolaris-discuss mailing list
opensolaris-discuss@opensolaris.org
