Bug#732940: [Pkg-openssl-devel] Bug#732940: Breaks ssh: OpenSSL version mismatch. Built against 1000105f, you have 10001060
On Sun, Dec 22, 2013 at 02:16:43PM -0800, Josh Triplett wrote: Package: libssl1.0.0 Version: 1.0.1e-5 Followup-For: Bug #732940 Julien Cristau wrote: On Sun, Dec 22, 2013 at 14:02:37 -0800, Josh Triplett wrote: Package: libssl1.0.0 Version: 1.0.1e-5 Severity: critical Upgrading OpenSSL caused SSH to break. Here's the upgrade from aptitude's log: [UPGRADE] libssl-dev:amd64 1.0.1e-4 - 1.0.1e-5 [UPGRADE] libssl1.0.0:amd64 1.0.1e-4 - 1.0.1e-5 [UPGRADE] openssl:amd64 1.0.1e-4 - 1.0.1e-5 And here's SSH failing: $ ssh joshtriplett.org OpenSSL version mismatch. Built against 1000105f, you have 10001060 sounds like an openssh bug to me... I upgraded OpenSSL and OpenSSH stopped working. Since the SONAME didn't change, kinda by definition this seems like a bug in OpenSSL, not OpenSSH. So openssl is never supposed to change it's version number? Kurt -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#732940: [Pkg-openssl-devel] Bug#732940: Breaks ssh: OpenSSL version mismatch. Built against 1000105f, you have 10001060
On Sun, Dec 22, 2013 at 02:45:32PM -0800, Josh Triplett wrote: It's not OK to break forward compatibility without changing SONAME. Software built against an older version of a library must always work with a newer version that has the same SONAME; that's what the SONAME exists for. It'd be perfectly OK for software built against a newer OpenSSL to refuse to work with an older version (ideally by requiring a symbol the older library doesn't have), but the reverse is a bug, regardless of the mechanism. Openssl does not do this version check, nor does it suggest to do any such check. I think I've already filed this bug against openssh twice and it seems to be comming back. I don't see how openssl is breaking either forward or backward compatibility. It just changed the version it returned. Openssl can't be responible for whatever people do with that version. Openssl in Debian also properly maintains the soname, it has versioned symbols depending on the version that introduced the symbol. If openssh wants to refused to run with a newer version of openssl and you say that that is perfectly OK, I guess there is no bug at all here and I can just close this bug. Kurt -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
