Re: Packages that need to be rebuilt agaisnt libssl0.9.8

[Henrique de Moraes Holschuh]

On Sat, 08 Oct 2005, Steve Langasek wrote:
> I have a better idea, then; how about if they just never have new major
> versions of libpng, ever again?  The last two soname changes were in fact
> total bullshit, and judging by past events I can see them using symbol

Or, for something that has a modicum of chance of png upstream accepting,
why not telling us (d-devel) about a supposed upcoming version change a week
before they release it, so that we can tell them they are smoking crack and
fix the error before it hits the wild if that's the case?

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Packages that need to be rebuilt agaisnt libssl0.9.8

[Steve Langasek]

On Sat, Oct 08, 2005 at 05:44:25PM +0200, Josselin Mouette wrote:
> Le vendredi 07 octobre 2005 à 14:33 -0700, Steve Langasek a écrit :
> > > We're already doing it for libpng, as no one else seemed interested in
> > > properly version the symbols. There haven't been any issues reported so
> > > far.

> > What ever happened to libpng upstream's bizarre plan to hand-mangle symbol
> > names in lieu of versioning?  If they're not doing that, then someone
> > (like... the maintainer ;) should bludgeon them into accepting a patch for
> > real symbol versioning...

> They're planning to do that for the next major libpng version only.

I have a better idea, then; how about if they just never have new major
versions of libpng, ever again?  The last two soname changes were in fact
total bullshit, and judging by past events I can see them using symbol
versioning as an *excuse* to change an soname, which would be the most
ironically counterproductive option available to them...

-- 
Steve Langasek   Give me a lever long enough and a Free OS
Debian Developer   to set it on, and I can move the world.
[EMAIL PROTECTED]   http://www.debian.org/


signature.asc
Description: Digital signature

Re: Packages that need to be rebuilt agaisnt libssl0.9.8

[Josselin Mouette]

Le vendredi 07 octobre 2005 à 14:33 -0700, Steve Langasek a écrit :
> > We're already doing it for libpng, as no one else seemed interested in
> > properly version the symbols. There haven't been any issues reported so
> > far.
> 
> What ever happened to libpng upstream's bizarre plan to hand-mangle symbol
> names in lieu of versioning?  If they're not doing that, then someone
> (like... the maintainer ;) should bludgeon them into accepting a patch for
> real symbol versioning...

They're planning to do that for the next major libpng version only. At
the time the patch was included in Debian, neither upstream nor other
distributors seemed interested, but I can try again...
-- 
 .''`.   Josselin Mouette/\./\
: :' :   [EMAIL PROTECTED]
`. `'[EMAIL PROTECTED]
  `-  Debian GNU/Linux -- The power of freedom


signature.asc
Description: This is a digitally signed message part

Re: Packages that need to be rebuilt agaisnt libssl0.9.8

[Steve Langasek]

On Thu, Oct 06, 2005 at 10:20:12PM +0200, Christoph Martin wrote:

> > You are right - as so often.

> > People are still required to speak with the release team first. But some
> > people prefer to make all of our life harder then necessary.

> > Please again: If someone wants to make any transition, please speak
> > *first* with the release team. Do not just assume you can upload just
> > anything. We really want to finish the c++-abi-transition first.

> Sorry for that. I missed the message about not doing library
> transitions. My fault. But I also do not really understand why so many
> packages need to be rebuild since libssl0.9.7 will be in the archive
> too.

How?  I don't see any openssl097 source package in the archive, only openssl
and openssl096.  If it is your intention to upload an openssl097 source
package, please do so ASAP (preferably *before* libssl0.9.7 is removed from
unstable via rene!), and please tell maintainers that they should *not* be
transitioning to libssl0.9.8 at this time.  There are probably many packages
that can safely be migrated to libssl0.9.8, but there are a large number of
other packages, which no one has made a list of, which will have a cascade
effect on segfaults related to other transitions if they are rebuilt now
against a libssl0.9.8 that doesn't have versioned symbols.

> I however understand the problem with different libraries linked against
> different versions of openssl. But I don't think that versioning the
> symbols in Debian alone would be such a good idea. Than we would be
> incompatible with other distributions.

We would be only unidirectionally incompatible with other distros, in the
same way that we would be incompatible distros that shipped an older version
of libssl0.9.8 which was missing a newly-added symbol but was otherwise
ABI-compatible.  

> All LSB connected distros should do it the same way.

Yes, they certainly should.  Maintainers that implement versioned symbols
for libraries are always encouraged to submit patches upstream.

> Release team: If you think it would be the right thing to remove openssl
> 0.9.8 from sid, feel free to do it. I did the update, because a lot of
> people bugged me about the new version and upstream only recommends this
> version. It also closes a grave security bug.

I don't think it makes much sense to remove the package from sid once it's
been uploaded, but please see above for my concerns on how we handle this
going forward.

-- 
Steve Langasek   Give me a lever long enough and a Free OS
Debian Developer   to set it on, and I can move the world.
[EMAIL PROTECTED]   http://www.debian.org/


signature.asc
Description: Digital signature

Re: Packages that need to be rebuilt agaisnt libssl0.9.8

[Steve Langasek]

On Fri, Oct 07, 2005 at 12:47:00PM +0200, Josselin Mouette wrote:
> Le jeudi 06 octobre 2005 à 22:20 +0200, Christoph Martin a écrit :
> > I however understand the problem with different libraries linked against
> > different versions of openssl. But I don't think that versioning the
> > symbols in Debian alone would be such a good idea. Than we would be
> > incompatible with other distributions. All LSB connected distros should
> > do it the same way.

> We're already doing it for libpng, as no one else seemed interested in
> properly version the symbols. There haven't been any issues reported so
> far.

What ever happened to libpng upstream's bizarre plan to hand-mangle symbol
names in lieu of versioning?  If they're not doing that, then someone
(like... the maintainer ;) should bludgeon them into accepting a patch for
real symbol versioning...

-- 
Steve Langasek   Give me a lever long enough and a Free OS
Debian Developer   to set it on, and I can move the world.
[EMAIL PROTECTED]   http://www.debian.org/


signature.asc
Description: Digital signature

Re: Packages that need to be rebuilt agaisnt libssl0.9.8

[Moritz Muehlenhoff]

In linux.debian.devel, you wrote:
>> beneficial to at least document such security issues, by informing security
>> team, filing an RC bug on your own package, and mentioning the CVE ID (or at
>> the very least, a short description of the bug fixed) in your changelog 
>> entry.
>
> It is documented in bug #314465. But it is not really a bug which you
> can fix by backporting. It's about MD5 hashes being insecure. I talked
> with upstream about the issue and follow their arguments:

Well, it's not that MD5 is secure in 0.9.8, it's just that the default hash
has been changed. So changing /etc/openssl.cnf's "default_md = md5" to
"default_md = sha1" would have the same effect, as sha1 is already present
in 0.9.7; only the more complex SHA variants have been introduced in 0.9.8.

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Packages that need to be rebuilt agaisnt libssl0.9.8

[Henrique de Moraes Holschuh]

On Fri, 07 Oct 2005, Martijn van Oosterhout wrote:
> The problem would be if two different groups go and version the
> symbols in a different way (OPENSSL_0.9.8 vs OPENSSL_0_9_8). But as

I will repeat myself once:  just hunt down and email the openssl maintainers
for: SuSE, RH/Fedora, Mandriva, Gentoo, plus upstream, with the explanation
of why we versioned the symbols and the patch (and YES, I can write the
explanation if anyone needs it).

They won't set a different symbol if you use something that Solaris will
also accept (upstream) or that looks sane (other distros).  Probably most
will apply the patch.

Information about Solaris is easy to find, and appears to be exactly the
same as what is done in Linux, other than they have preferred namespaces:
http://www.usenix.org/publications/library/proceedings/als00/2000papers/papers/full_papers/browndavid/browndavid_html/

Other distros will soon notice (and there is no reason why you can't email
them directly, either) when the biggest ones start versioning symbols, and
the next edition of the LSB will pick it up if all major players deployed
it.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Packages that need to be rebuilt agaisnt libssl0.9.8

[Martijn van Oosterhout]

2005/10/7, Nathanael Nerode <[EMAIL PROTECTED]>:
> Well, only in one direction if I remember my versioning rules correctly.
> Consider the following cases:
> * binary built against unversioned libssl from other distro, running with
> versioned libssl on Debian
> Breaks because it can't find the symbols.
> * binary built against versioned libssl on Debian, running with unversioned
> libssl on other distro
> Works, because if it can't find a versioned symbol, it tries the unversioned
> symbol.

Actually, as long as the dynamic linker understands versioned symbols,
either combination works. If an unversioned symbol is found it as
matched against the oldest version available. Not always right
ofcourse, but no worse than without versioning.

The problem would be if two different groups go and version the
symbols in a different way (OPENSSL_0.9.8 vs OPENSSL_0_9_8). But as
long as we're the only people versioning, there's no problem. If it
becomes an issue we can add their version names to our libraries.

Re: Packages that need to be rebuilt agaisnt libssl0.9.8

[Andreas Barth]

* Domenico Andreoli ([EMAIL PROTECTED]) [051007 10:59]:
> is the run for openssl 0.9.8 started anyway? i have curl and
> libapache-mod-ssl ready for the upload.

There is nothing one can stop anymore. It will be tied with the
c++-abi-transition soon enough.


Cheers,
Andi


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Packages that need to be rebuilt agaisnt libssl0.9.8

[Josselin Mouette]

Le jeudi 06 octobre 2005 à 22:20 +0200, Christoph Martin a écrit :
> I however understand the problem with different libraries linked against
> different versions of openssl. But I don't think that versioning the
> symbols in Debian alone would be such a good idea. Than we would be
> incompatible with other distributions. All LSB connected distros should
> do it the same way.

We're already doing it for libpng, as no one else seemed interested in
properly version the symbols. There haven't been any issues reported so
far.
-- 
 .''`.   Josselin Mouette/\./\
: :' :   [EMAIL PROTECTED]
`. `'[EMAIL PROTECTED]
   `-  Debian GNU/Linux -- The power of freedom

Re: Packages that need to be rebuilt agaisnt libssl0.9.8

[Domenico Andreoli]

On Fri, Oct 07, 2005 at 06:12:33AM -0300, Henrique de Moraes Holschuh wrote:
> On Fri, 07 Oct 2005, Domenico Andreoli wrote:
> > is the run for openssl 0.9.8 started anyway? i have curl and
> > libapache-mod-ssl ready for the upload.
> 
> I am going to hold out and wait at least a week. I want to know what the
> release team will do re. 0.9.8.

i'm seconding. what do you think about uploading stuff to experimental?

> PLEASE, let's take the opportunity to enable symbol versioning.  That way,
> there will NOT be any need for a new transition when 0.9.9 is out.

any consensus here? have the RMs any opinion about?

thanks
domenico

-[ Domenico Andreoli, aka cavok
 --[ http://people.debian.org/~cavok/gpgkey.asc
   ---[ 3A0F 2F80 F79C 678A 8936  4FEE 0677 9033 A20E BC50


signature.asc
Description: Digital signature

Re: Packages that need to be rebuilt agaisnt libssl0.9.8

[Henrique de Moraes Holschuh]

On Thu, 06 Oct 2005, Nathanael Nerode wrote:
> [EMAIL PROTECTED] wrote:
> > But I don't think that versioning the
> >symbols in Debian alone would be such a good idea. Than we would be
> >incompatible with other distributions.

Then mail the other distro maintainers and upstream, they will listen to you
and it is actually probable you will not have much trouble with the other
distros.  

Upstream might want a foolproof way to detect whether it should version
symbols or not (I suspect that when using libtool this is a no brainer: tell
libtool to version, and if the platform can't version, it should simply
ignore the request).

Debian can and often does lead the other distros re. versioned symbols.  It
is very troubling that openssl is still unversioned, and thus we have to
transition a lot of packages every time a new openssl hits the archive, OR
risk segfaults everywhere.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Packages that need to be rebuilt agaisnt libssl0.9.8

[Christoph Martin]

Jeroen van Wolffelaar schrieb:
> On Thu, Oct 06, 2005 at 10:20:12PM +0200, Christoph Martin wrote:
> 
>>a lot of people bugged me about the new version and upstream only recommends
>>this version. It also closes a grave security bug.
> 
> Hm, that wasn't listed in the changelog. Anyway, there hasn't been a security
> advisory about openssl recently, did you backport a patch to the sarge version
> (and prefereably also, to the woody version) and informed the security team? I
> noticed you just requested help for maintaining openssl, so I can imagine that
> it's been hard to find to come up with a patch, but it would at least be
> beneficial to at least document such security issues, by informing security
> team, filing an RC bug on your own package, and mentioning the CVE ID (or at
> the very least, a short description of the bug fixed) in your changelog entry.

It is documented in bug #314465. But it is not really a bug which you
can fix by backporting. It's about MD5 hashes being insecure. I talked
with upstream about the issue and follow their arguments:

>The default digest in 0.9.8 and the cvs head is SHA-1
>(we didn't change 0.9.7 as we didn't want to break existing
>implementations depending on the default digest being MD5).
>About SHA-256 etc. : they are included in the soon to
>appear 0.9.8.

The bug had been release critical and has the security tag. I downgraded
it to get the last 0.9.7 version into testing before uploading 0.9.8.

Christoph

-- 

Christoph Martin, Leiter der EDV der Verwaltung, Uni-Mainz, Germany
 Internet-Mail:  [EMAIL PROTECTED]
  Telefon: +49-6131-3926337
  Fax: +49-6131-3922856


signature.asc
Description: OpenPGP digital signature

Re: Packages that need to be rebuilt agaisnt libssl0.9.8

[Henrique de Moraes Holschuh]

On Fri, 07 Oct 2005, Domenico Andreoli wrote:
> is the run for openssl 0.9.8 started anyway? i have curl and
> libapache-mod-ssl ready for the upload.

I am going to hold out and wait at least a week. I want to know what the
release team will do re. 0.9.8.

PLEASE, let's take the opportunity to enable symbol versioning.  That way,
there will NOT be any need for a new transition when 0.9.9 is out.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Packages that need to be rebuilt agaisnt libssl0.9.8

[Domenico Andreoli]

On Thu, Oct 06, 2005 at 06:29:55PM +0200, Andreas Barth wrote:
> * Frank Küster ([EMAIL PROTECTED]) [051006 17:13]:
> > sean finney <[EMAIL PROTECTED]> wrote:
> > 
> > > and furthermore, there are some of us who have been quietly waiting for
> > > things to settle down from the previous major transitions before doing
> > > our own, at the request of the release team.
> > 
> > I'm only following d-d-a, -private, and -devel, but that only partly,
> > and *I* have not yet read anywhere that transitions are allowed again at
> > all.  If they are and I had known, it would have saved me quite some
> > work... 
> 
> You are right - as so often.
> 
> People are still required to speak with the release team first. But some
> people prefer to make all of our life harder then necessary.
> 
> Please again: If someone wants to make any transition, please speak
> *first* with the release team. Do not just assume you can upload just
> anything. We really want to finish the c++-abi-transition first.

is the run for openssl 0.9.8 started anyway? i have curl and
libapache-mod-ssl ready for the upload.

ciao
domenico

-[ Domenico Andreoli, aka cavok
 --[ http://people.debian.org/~cavok/gpgkey.asc
   ---[ 3A0F 2F80 F79C 678A 8936  4FEE 0677 9033 A20E BC50


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Packages that need to be rebuilt agaisnt libssl0.9.8

[Moritz Muehlenhoff]

In linux.debian.devel, you wrote:
> Moritz Muehlenhoff wrote:
>> Upgrading to SHA-1 is still a good idea, of course,
>
> Correct me if I'm wrong, but haven't there been collision attacks on
> SHA-1, too?

Yes, but to public knowledge they're only feasible with government grade
hardware, while MD5 is subject to attacks with much lower complexity.

There might be an AES-like competition for the next-gen hash in 2006, but
I'm not sure if it has been decided yet.

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Packages that need to be rebuilt agaisnt libssl0.9.8

[Henrique de Moraes Holschuh]

On Thu, 06 Oct 2005, Russ Allbery wrote:
> At least in my testing, binaries built against an unversioned library work
> fine with a versioned library.  Maybe I wasn't testing properly?

You are correct, they work just fine.  DEPENDING on the version of ld.so,
you might get a helpful warning, but that's about it.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Packages that need to be rebuilt agaisnt libssl0.9.8

[Russ Allbery]

Nathanael Nerode <[EMAIL PROTECTED]> writes:

> Well, only in one direction if I remember my versioning rules correctly.
> Consider the following cases:

> * binary built against unversioned libssl from other distro, running with 
> versioned libssl on Debian
> Breaks because it can't find the symbols.

At least in my testing, binaries built against an unversioned library work
fine with a versioned library.  Maybe I wasn't testing properly?

-- 
Russ Allbery ([EMAIL PROTECTED]) 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Packages that need to be rebuilt agaisnt libssl0.9.8

[Nathanael Nerode]

[EMAIL PROTECTED] wrote:
> But I don't think that versioning the
>symbols in Debian alone would be such a good idea. Than we would be
>incompatible with other distributions.
Well, only in one direction if I remember my versioning rules correctly.
Consider the following cases:
* binary built against unversioned libssl from other distro, running with 
versioned libssl on Debian
Breaks because it can't find the symbols.
* binary built against versioned libssl on Debian, running with unversioned 
libssl on other distro
Works, because if it can't find a versioned symbol, it tries the unversioned 
symbol.

This can be fixed even more by keeping available one version of libssl with 
unversioned symbols, and versioning the symbols on all other versions.  Then 
binaries from other distros will work as long as the unversioned-symbol 
version is available (and compatible, of course).

-- 
Nathanael Nerode  <[EMAIL PROTECTED]>

Make sure your vote will count.
http://www.verifiedvoting.org/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Packages that need to be rebuilt agaisnt libssl0.9.8

[Anthony DeRobertis]

Moritz Muehlenhoff wrote:
> Upgrading to SHA-1 is still a good idea, of course,

Correct me if I'm wrong, but haven't there been collision attacks on
SHA-1, too?


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Packages that need to be rebuilt agaisnt libssl0.9.8

[Moritz Muehlenhoff]

In linux.debian.devel, you wrote:
>> a lot of people bugged me about the new version and upstream only recommends
>> this version. It also closes a grave security bug.
>
> Hm, that wasn't listed in the changelog. Anyway, there hasn't been a security
> advisory about openssl recently, did you backport a patch to the sarge version
> (and prefereably also, to the woody version) and informed the security team?

Christoph is probably referring to CAN-2005-2946 and bug #314465, which is about
the fact that MD5 is the default digest algo in openssl.
This bug has an inflated severity, it's not overly urgent. There have been 
several
collision attacks on MD5 (i.e. you can create a foo/bar pair, which share a
common hash), but no second preimage attacks have been demonstrated so
far (i.e. creating a bar, which shares a hash with a given foo).
Several exploits have been derived from the basic collision attacks, though, 
(google
for Kaminski or Daum/Lucks for some cool demonstrations), but it's not as grave
as it might appear. Upgrading to SHA-1 is still a good idea, of course, but no
need to break things more than necessary.

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Packages that need to be rebuilt agaisnt libssl0.9.8

[Jeroen van Wolffelaar]

On Thu, Oct 06, 2005 at 10:20:12PM +0200, Christoph Martin wrote:
> a lot of people bugged me about the new version and upstream only recommends
> this version. It also closes a grave security bug.

Hm, that wasn't listed in the changelog. Anyway, there hasn't been a security
advisory about openssl recently, did you backport a patch to the sarge version
(and prefereably also, to the woody version) and informed the security team? I
noticed you just requested help for maintaining openssl, so I can imagine that
it's been hard to find to come up with a patch, but it would at least be
beneficial to at least document such security issues, by informing security
team, filing an RC bug on your own package, and mentioning the CVE ID (or at
the very least, a short description of the bug fixed) in your changelog entry.

Thanks,
--Jeroen

-- 
Jeroen van Wolffelaar
[EMAIL PROTECTED] (also for Jabber & MSN; ICQ: 33944357)
http://Jeroen.A-Eskwadraat.nl


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Packages that need to be rebuilt agaisnt libssl0.9.8

[Christoph Martin]

Andreas Barth schrieb:
> * Frank Küster ([EMAIL PROTECTED]) [051006 17:13]:
> 
>>sean finney <[EMAIL PROTECTED]> wrote:
>>
>>
>>>and furthermore, there are some of us who have been quietly waiting for
>>>things to settle down from the previous major transitions before doing
>>>our own, at the request of the release team.
>>
>>I'm only following d-d-a, -private, and -devel, but that only partly,
>>and *I* have not yet read anywhere that transitions are allowed again at
>>all.  If they are and I had known, it would have saved me quite some
>>work... 
> 
> You are right - as so often.
> 
> People are still required to speak with the release team first. But some
> people prefer to make all of our life harder then necessary.
> 
> Please again: If someone wants to make any transition, please speak
> *first* with the release team. Do not just assume you can upload just
> anything. We really want to finish the c++-abi-transition first.

Sorry for that. I missed the message about not doing library
transitions. My fault. But I also do not really understand why so many
packages need to be rebuild since libssl0.9.7 will be in the archive
too. We had the same scheme with libssl0.9.6 and libssl0.9.7. Sarge
released with some packages still linked against libssl0.9.6. Only the
new to build packages link against the new library.

I however understand the problem with different libraries linked against
different versions of openssl. But I don't think that versioning the
symbols in Debian alone would be such a good idea. Than we would be
incompatible with other distributions. All LSB connected distros should
do it the same way.

Release team: If you think it would be the right thing to remove openssl
0.9.8 from sid, feel free to do it. I did the update, because a lot of
people bugged me about the new version and upstream only recommends this
version. It also closes a grave security bug.

Christoph



-- 

Christoph Martin, EDV der Verwaltung, Uni-Mainz, Germany
 Internet-Mail:  [EMAIL PROTECTED]
  Telefon: +49-6131-3926337



signature.asc
Description: OpenPGP digital signature

Re: Packages that need to be rebuilt agaisnt libssl0.9.8

[Joey Hess]

Jonas Meurer wrote:
> > conserver
> 
> this package does not exist in debian

It's in non-free

-- 
see shy jo


signature.asc
Description: Digital signature

Re: Packages that need to be rebuilt agaisnt libssl0.9.8

[Henrique de Moraes Holschuh]

On Thu, 06 Oct 2005, Josselin Mouette wrote:
> Furthermore, as OpenSSL symbols aren't versioned, this will lead to
> random crashes if a binary ends up being linked to both version, won't
> it?

Oh crap!

OpenSSL *must* version its symbols, it is the kind of lib that ends up
linked to libs that end up linked into other libs or even worse, end up in
nsswitch modules and thus shadow-linked to every dang thing in the system.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Packages that need to be rebuilt agaisnt libssl0.9.8

[Andreas Barth]

* Frank Küster ([EMAIL PROTECTED]) [051006 17:13]:
> sean finney <[EMAIL PROTECTED]> wrote:
> 
> > and furthermore, there are some of us who have been quietly waiting for
> > things to settle down from the previous major transitions before doing
> > our own, at the request of the release team.
> 
> I'm only following d-d-a, -private, and -devel, but that only partly,
> and *I* have not yet read anywhere that transitions are allowed again at
> all.  If they are and I had known, it would have saved me quite some
> work... 

You are right - as so often.

People are still required to speak with the release team first. But some
people prefer to make all of our life harder then necessary.

Please again: If someone wants to make any transition, please speak
*first* with the release team. Do not just assume you can upload just
anything. We really want to finish the c++-abi-transition first.



Cheers,
Andi


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Packages that need to be rebuilt agaisnt libssl0.9.8

[Alastair McKinstry]

On Thu, 2005-10-06 at 11:24 -0300, Henrique de Moraes Holschuh wrote:
> Is there any chances of versioning openssl symbols properly?
> 
> I am not asking for 0.9.7 and 0.9.8 to coexist (although versioned symbols
> would make that trivial), but PLEASE version the symbols.
> 
> Suggested version tag:  OPENSSL_0_9_8


minor point, but in the name of consistency could we use version tags of
the form OPENSSL_0.9.8, matching e.g. GLIBC_2.0 , etc. 

Regards
Alastair

> -- 
>   "One disk to rule them all, One disk to find them. One disk to bring
>   them all and in the darkness grind them. In the Land of Redmond
>   where the shadows lie." -- The Silicon Valley Tarot
>   Henrique Holschuh
> 
> 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Packages that need to be rebuilt agaisnt libssl0.9.8

[Henrique de Moraes Holschuh]

On Thu, 06 Oct 2005, Alastair McKinstry wrote:
> On Thu, 2005-10-06 at 11:24 -0300, Henrique de Moraes Holschuh wrote:
> > Is there any chances of versioning openssl symbols properly?
> > 
> > I am not asking for 0.9.7 and 0.9.8 to coexist (although versioned symbols
> > would make that trivial), but PLEASE version the symbols.
> > 
> > Suggested version tag:  OPENSSL_0_9_8
> 
> minor point, but in the name of consistency could we use version tags of
> the form OPENSSL_0.9.8, matching e.g. GLIBC_2.0 , etc. 

Sure.  As long as it is versioned and the version changes with the ABI, I
will be very happy :-)

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Packages that need to be rebuilt agaisnt libssl0.9.8

[Frank Küster]

sean finney <[EMAIL PROTECTED]> wrote:

> and furthermore, there are some of us who have been quietly waiting for
> things to settle down from the previous major transitions before doing
> our own, at the request of the release team.

I'm only following d-d-a, -private, and -devel, but that only partly,
and *I* have not yet read anywhere that transitions are allowed again at
all.  If they are and I had known, it would have saved me quite some
work... 

Regards, Frank
-- 
Frank Küster
Inst. f. Biochemie der Univ. Zürich
Debian Developer

Re: Packages that need to be rebuilt agaisnt libssl0.9.8

[sean finney]

On Thu, Oct 06, 2005 at 08:33:19AM +0200, Aurelien Jarno wrote:
> Christoph Martin a écrit :
> >Changes: 
> > openssl (0.9.8-1) unstable; urgency=low
> > .
> >   * New upstream release (closes: #311826)
> 
> The following list of packages needs to be rebuild, otherwise some of 
> the binary packages they built will be uninstallable after today mirror 
> push. Maybe bug reports has to be filled?

this seems to me like something that would qualify as a "significant
transition", and i'm wondering why this was not announced ahead of time?
i don't think it's good practice to upload anything that breaks over
300 packages in debian without at least some preliminary
announcement/discussion.

and furthermore, there are some of us who have been quietly waiting for
things to settle down from the previous major transitions before doing
our own, at the request of the release team.


sean

ps - i'd also like to second the request for symbol versioning.

-- 


signature.asc
Description: Digital signature

Re: Packages that need to be rebuilt agaisnt libssl0.9.8

[Henrique de Moraes Holschuh]

Is there any chances of versioning openssl symbols properly?

I am not asking for 0.9.7 and 0.9.8 to coexist (although versioned symbols
would make that trivial), but PLEASE version the symbols.

Suggested version tag:  OPENSSL_0_9_8

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Packages that need to be rebuilt agaisnt libssl0.9.8

[Henrique de Moraes Holschuh]

On Thu, 06 Oct 2005, Aurelien Jarno wrote:
> The following list of packages needs to be rebuild, otherwise some of 
> the binary packages they built will be uninstallable after today mirror 
> push. Maybe bug reports has to be filled?

Next time, please give us at least a three-days advance warning...

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Packages that need to be rebuilt agaisnt libssl0.9.8

[Jonas Meurer]

On 06/10/2005 Aurelien Jarno wrote:
> Christoph Martin a écrit :
> >Changes: 
> > openssl (0.9.8-1) unstable; urgency=low
> > .
> >   * New upstream release (closes: #311826)
> 
> The following list of packages needs to be rebuild, otherwise some of 
> the binary packages they built will be uninstallable after today mirror 
> push. Maybe bug reports has to be filled?
> 
> conserver

this package does not exist in debian

> ldmud

that one exists only in stable and oldstable

here's the list of all packages except these two sorted by maintainers,
thanks to dd-list from devscripts:


Laszlo Boszormenyi (GCS) <[EMAIL PROTECTED]>
   neon

Stefan Hornburg (Racke) <[EMAIL PROTECTED]>
   courier
   pure-ftpd

Richard A Nelson (Rick) <[EMAIL PROTECTED]>
   sendmail

Eric Schwartz (Skif) <[EMAIL PROTECTED]>
   yaz

Davide Puricelli (evo) <[EMAIL PROTECTED]>
   xchat

Jacek �liwerski (rzyjontko) <[EMAIL PROTECTED]>
   elmo

Stefan Alfredsson <[EMAIL PROTECTED]>
   monit

Russ Allbery <[EMAIL PROTECTED]>
   webauth

Domenico Andreoli <[EMAIL PROTECTED]>
   curl
   libapache-mod-ssl
   tclcurl

Richard Atterer <[EMAIL PROTECTED]>
   jigdo
   w3c-libwww

SZALAY Attila <[EMAIL PROTECTED]>
   libzorpll
   zorp

Julien BLACHE <[EMAIL PROTECTED]>
   d4x

Thomas Bushnell, BSG <[EMAIL PROTECTED]>
   libofx

Miros/law L. Baran <[EMAIL PROTECTED]>
   epic4

Dima Barsky <[EMAIL PROTECTED]>
   cyrus-sasl2
   m2crypto

Brian Bassett <[EMAIL PROTECTED]>
   entity

Dave Beckett <[EMAIL PROTECTED]>
   raptor
   rasqal
   redland
   redland-bindings

Ian Beckwith <[EMAIL PROTECTED]>
   netkit-telnet-ssl

Luciano Bello <[EMAIL PROTECTED]>
   davfs2

John V. Belmonte <[EMAIL PROTECTED]>
   xmlsec1

Hilko Bengen <[EMAIL PROTECTED]>
   nail

Michael Biebl <[EMAIL PROTECTED]>
   kdesvn
   partimage

Bastian Blank <[EMAIL PROTECTED]>
   omniorb4

Blars Blarson <[EMAIL PROTECTED]>
   suck

Eduard Bloch <[EMAIL PROTECTED]>
   encfs

Phil Blundell <[EMAIL PROTECTED]>
   dillo

Regis Boudin <[EMAIL PROTECTED]>
   tellico

Nicolas Boullis <[EMAIL PROTECTED]>
   isync

Jeremy T. Bouse <[EMAIL PROTECTED]>
   fwbuilder
   libesmtp
   libfwbuilder
   libgcgi

Ludovic Brenta <[EMAIL PROTECTED]>
   libaws

Ben Burton <[EMAIL PROTECTED]>
   kdesdk

Petr Cech <[EMAIL PROTECTED]>
   pavuk

Christopher L Cheney <[EMAIL PROTECTED]>
   vorbis-tools

Pierre Chifflier <[EMAIL PROTECTED]>
   newpki-client
   newpki-lib
   newpki-server

Russell Coker <[EMAIL PROTECTED]>
   postal

Jamin W. Collins <[EMAIL PROTECTED]>
   jabber
   jabber-jud
   jabber-muc
   jabber-yahoo

Eric Cooper <[EMAIL PROTECTED]>
   approx

Julien Danjou <[EMAIL PROTECTED]>
   telak

Frederik Dannemare <[EMAIL PROTECTED]>
   clamcour

LI Daobing <[EMAIL PROTECTED]>
   qterm

Debian Apache Maintainers 
   apache
   apache2

Debian OpenOffice Team 
   neon0.23

Debian Qt/KDE Maintainers 
   kdebase
   kdenetwork

Murat Demirten <[EMAIL PROTECTED]>
   ettercap
   sim

Grzegorz Prokopski (Debian Developer) <[EMAIL PROTECTED]>
   opendchub

Jean-Francois Dive <[EMAIL PROTECTED]>
   isakmpd

Eric Dorland <[EMAIL PROTECTED]>
   opensc

Paul Dwerryhouse <[EMAIL PROTECTED]>
   kannel

Dirk Eddelbuettel <[EMAIL PROTECTED]>
   linuxtrade

Peter Eisentraut <[EMAIL PROTECTED]>
   licq

Rene Engelhard <[EMAIL PROTECTED]>
   aria

Raphael Enrici <[EMAIL PROTECTED]>
   pgadmin3

Carey Evans <[EMAIL PROTECTED]>
   tn5250

Eric Evans <[EMAIL PROTECTED]>
   xsupplicant

Peter Van Eynde <[EMAIL PROTECTED]>
   cl-ssl

Tomas Fasth <[EMAIL PROTECTED]>
   rdesktop

Duncan Findlay <[EMAIL PROTECTED]>
   spamassassin

José Fonseca <[EMAIL PROTECTED]>
   esmtp

Romain Francoise <[EMAIL PROTECTED]>
   tcpdump

Jochen Friedrich <[EMAIL PROTECTED]>
   net-snmp
   ucd-snmp

Wilmer van der Gaast <[EMAIL PROTECTED]>
   ctrlproxy

Hector Garcia <[EMAIL PROTECTED]>
   zmailer

David Moreno Garza <[EMAIL PROTECTED]>
   xmms

RISKO Gergely <[EMAIL PROTECTED]>
   starttls

Daniel Glassey <[EMAIL PROTECTED]>
   bibletime
   gnomesword
   sword

Henning Glawe <[EMAIL PROTECTED]>
   libgwenhywfar

Francois-Denis Gonthier <[EMAIL PROTECTED]>
   erlang

Stephen Gran <[EMAIL PROTECTED]>
   clamav

Debian Perl Group <[EMAIL PROTECTED]>
   libwww-curl-perl

Yu Guanghui <[EMAIL PROTECTED]>
   qpopper

Marc Haber <[EMAIL PROTECTED]>
   rageircd

Fredrik Hallenberg <[EMAIL PROTECTED]>
   asmail

Chris Halls <[EMAIL PROTECTED]>
   ayttm

Chris Hanson <[EMAIL PROTECTED]>
   mit-scheme

Sam Hartman <[EMAIL PROTECTED]>
   openssh-krb5

Peter Hawkins <[EMAIL PROTECTED]>
   python-ldap

Adam Heath <[EMAIL PROTECTED]>
   xen

Tollef Fog Heen <[EMAIL PROTECTED]>
   cfengine

Dan Helfman <[EMAIL PROTECTED]>
   libnet-tclink-perl
   php4-tclink
   python-tclink

Gregor Hoffleit <[EMAIL PROTECTED]>
   python2.1

Henrique de Moraes Holschuh <[EMAIL PROTECTED]>
   cyrus21-imapd
   hplip

Simon Horman <[EMAIL PROTECTED]>
   heartbeat
   heartbeat-2
   perdition

Alex Hudson <[EMAIL PROTECTED]>
   hula

Philipp Hug <[EMAIL PROTECTED]>
   mnogosearch

Re: Packages that need to be rebuilt agaisnt libssl0.9.8

[Marco d'Itri]

On Oct 06, Aurelien Jarno <[EMAIL PROTECTED]> wrote:

> The following list of packages needs to be rebuild, otherwise some of 
> the binary packages they built will be uninstallable after today mirror 
> push. Maybe bug reports has to be filled?
308 bugs are too many.
Starting from next week send a few warning emails to the maintainers,
then we will see.

-- 
ciao,
Marco


signature.asc
Description: Digital signature

Re: Packages that need to be rebuilt agaisnt libssl0.9.8

[Josselin Mouette]

Le jeudi 06 octobre 2005 à 08:33 +0200, Aurelien Jarno a écrit :
> Christoph Martin a écrit :
> > Changes: 
> >  openssl (0.9.8-1) unstable; urgency=low
> >  .
> >* New upstream release (closes: #311826)
> 
> The following list of packages needs to be rebuild, otherwise some of 
> the binary packages they built will be uninstallable after today mirror 
> push. Maybe bug reports has to be filled?
[snip]

Furthermore, as OpenSSL symbols aren't versioned, this will lead to
random crashes if a binary ends up being linked to both version, won't
it?
-- 
 .''`.   Josselin Mouette/\./\
: :' :   [EMAIL PROTECTED]
`. `'[EMAIL PROTECTED]
   `-  Debian GNU/Linux -- The power of freedom