Bug#856004: khtml: please build-depen on libssl1.0-dev for Stretch

[John Paul Adrian Glaubitz]

On 03/01/2017 08:21 AM, Sebastian Andrzej Siewior wrote:
>> The problem is that if the package was to be rebuilt now, it would be
>> rebuilt with OpenSSL 1.1 and not OpenSSL 1.0 which is the original
>> motivation for this bug report by Sebastian!
> 
> it already has been built with 1.1. We are done with the binNMUs for
> openssl.

Right, I forgot about that even though I was actually involved in that
through Debian Ports.

Anyway, can we make a decision here, please? I would like to see this bug
closed. I assume that just changing the Build-Depends from libssl-dev
to libssl1.0-dev should be the most straight-forward way of dealing with
this given the fact that Qt is still built against 1.0.

Adrian

-- 
 .''`.  John Paul Adrian Glaubitz
: :' :  Debian Developer - glaub...@debian.org
`. `'   Freie Universitaet Berlin - glaub...@physik.fu-berlin.de
  `-GPG: 62FF 8A75 84E0 2956 9546  0006 7426 3B37 F5B5 F913

Bug#856004: khtml: please build-depen on libssl1.0-dev for Stretch

[Sebastian Andrzej Siewior]

On 2017-03-01 00:50:59 [+0100], John Paul Adrian Glaubitz wrote:
> Hi!
Hi,

> The problem is that if the package was to be rebuilt now, it would be
> rebuilt with OpenSSL 1.1 and not OpenSSL 1.0 which is the original
> motivation for this bug report by Sebastian!

it already has been built with 1.1. We are done with the binNMUs for
openssl.

> Adrian

Sebastian

Bug#856004: khtml: please build-depen on libssl1.0-dev for Stretch

[John Paul Adrian Glaubitz]

Hi!

> We shouldn't be changing the way a package builds during freeze.
> It was last built with openssl 1.0, so that's what we should have for now.

The problem is that if the package was to be rebuilt now, it would be
rebuilt with OpenSSL 1.1 and not OpenSSL 1.0 which is the original
motivation for this bug report by Sebastian!

Either way, it would be preferred to come to an agreement what to do
with this bug report now. It shouldn't remain open given the freeze.

Either close it or change the build depends to libssl1.0-dev to make
sure it's rebuilt with OpenSSL 1.0 in case a binNMU is triggered.

PS: Please keep everyone in CC. I didn't get your mail.

Adrian

-- 
 .''`.  John Paul Adrian Glaubitz
: :' :  Debian Developer - glaub...@debian.org
`. `'   Freie Universitaet Berlin - glaub...@physik.fu-berlin.de
  `-GPG: 62FF 8A75 84E0 2956 9546  0006 7426 3B37 F5B5 F913

Bug#856004: khtml: please build-depen on libssl1.0-dev for Stretch

[Sebastian Andrzej Siewior]

On 2017-02-26 20:31:23 [+0100], Pino Toscano wrote:
> In data domenica 26 febbraio 2017 20:15:25 CET, John Paul Adrian Glaubitz ha 
> scritto:
> > On 02/26/2017 07:48 PM, Sebastian Andrzej Siewior wrote:
> > > I don't insist on anything. I noticed that this package does not depend on
> > > libssl after building and that is why I took a look.
> 
> That is because it dlopen's libssl at runtime.
> 
> > Interesting. So, I guess the best option would actually to drop the B-D on
> > libssl-dev completely. I have checked it myself and indeed libkf5khtml5 does
> > not depend on libssl at all. Plus, the package also builds fine with the
> > build dependency on libssl-dev completely removed.
> 
> That is because it is an optional dependency.
> 
> > Lisandro, maybe just dropping the build dependency on libssl-dev would be
> > the best option if it's actually not used at all?
> 
> NACK.

Yes, correct. There are a few symbols that export key creation and signing (or
something like that) so if you build this package without ssl then those
symbols are missing which would require a transition :)

Again. If someone who knows that package can say that it works with fine 1.1
and the missing symbols don't matter and it won't clash with 1.0 in any way
then feel free to close this. We are in freeze after all.

Sebastian

Bug#856004: khtml: please build-depen on libssl1.0-dev for Stretch

[Scott Kitterman]

On February 26, 2017 2:15:25 PM EST, John Paul Adrian Glaubitz 
 wrote:
>On 02/26/2017 07:48 PM, Sebastian Andrzej Siewior wrote:
>> I don't insist on anything. I noticed that this package does not
>depend on
>> libssl after building and that is why I took a look.
>
>Interesting. So, I guess the best option would actually to drop the B-D
>on
>libssl-dev completely. I have checked it myself and indeed libkf5khtml5
>does
>not depend on libssl at all. Plus, the package also builds fine with
>the
>build dependency on libssl-dev completely removed.
>
>Lisandro, maybe just dropping the build dependency on libssl-dev would
>be
>the best option if it's actually not used at all?

We shouldn't be changing the way a package builds during freeze.  It was last 
built with openssl 1.0, so that's what we should have for now.

Scott K

Bug#856004: khtml: please build-depen on libssl1.0-dev for Stretch

[Pino Toscano]

In data domenica 26 febbraio 2017 20:15:25 CET, John Paul Adrian Glaubitz ha 
scritto:
> On 02/26/2017 07:48 PM, Sebastian Andrzej Siewior wrote:
> > I don't insist on anything. I noticed that this package does not depend on
> > libssl after building and that is why I took a look.

That is because it dlopen's libssl at runtime.

> Interesting. So, I guess the best option would actually to drop the B-D on
> libssl-dev completely. I have checked it myself and indeed libkf5khtml5 does
> not depend on libssl at all. Plus, the package also builds fine with the
> build dependency on libssl-dev completely removed.

That is because it is an optional dependency.

> Lisandro, maybe just dropping the build dependency on libssl-dev would be
> the best option if it's actually not used at all?

NACK.

-- 
Pino Toscano

signature.asc
Description: This is a digitally signed message part.

Re: Bug#856004: khtml: please build-depen on libssl1.0-dev for Stretch

[John Paul Adrian Glaubitz]

On 02/26/2017 07:48 PM, Sebastian Andrzej Siewior wrote:
> I don't insist on anything. I noticed that this package does not depend on
> libssl after building and that is why I took a look.

Interesting. So, I guess the best option would actually to drop the B-D on
libssl-dev completely. I have checked it myself and indeed libkf5khtml5 does
not depend on libssl at all. Plus, the package also builds fine with the
build dependency on libssl-dev completely removed.

Lisandro, maybe just dropping the build dependency on libssl-dev would be
the best option if it's actually not used at all?

Adrian

-- 
 .''`.  John Paul Adrian Glaubitz
: :' :  Debian Developer - glaub...@debian.org
`. `'   Freie Universitaet Berlin - glaub...@physik.fu-berlin.de
  `-GPG: 62FF 8A75 84E0 2956 9546  0006 7426 3B37 F5B5 F913

Re: Bug#856004: khtml: please build-depen on libssl1.0-dev for Stretch

[Sebastian Andrzej Siewior]

On 2017-02-26 01:03:23 [+0100], John Paul Adrian Glaubitz wrote:
> But the question is whether SSL support is actually relevant in khtml at all.

If it is not exported or mixed with QT's SSL then it is not relevant.

> As you can see from the list of reverse dependencies, there's actually not
> much that is using khtml and the very few packages that use it are offline
> only like SystemSettings or Kiten. So, I don't think any SSL code is actually
> ever used.
> 
> I mean, if you really insist to rebuild khtml with libssl1.0-dev, then please
> just let's go ahead in order to get the number of RC bugs for Stretch down.

I don't insist on anything. I noticed that this package does not depend on
libssl after building and that is why I took a look. Then I noticed it is QT
based and loads symbols which don't exist. If none of that matters then simply
close the bug and keep everything as-is.

> Adrian

Sebastian

Re: Bug#856004: khtml: please build-depen on libssl1.0-dev for Stretch

[John Paul Adrian Glaubitz]

On 02/25/2017 09:39 PM, Sebastian Andrzej Siewior wrote:
> No. I assume that it might use QT's internal networking which is 1.0 and if
> they mix then bad things will happen.
> 
> The two functions marked * have no error handling if the function is missing.
> Not using SSLv23_client_method() means that the the user of this class has to
> try again with TLSv1_client_method() member which will only allow a TLS1.0
> handshake. This is not what you want because TLS1.0 itself is deprecated and
> the v23 method would allow the maximum possible TLS level (which is currently
> 1.2).

But the question is whether SSL support is actually relevant in khtml at all.

As you can see from the list of reverse dependencies, there's actually not
much that is using khtml and the very few packages that use it are offline
only like SystemSettings or Kiten. So, I don't think any SSL code is actually
ever used.

I mean, if you really insist to rebuild khtml with libssl1.0-dev, then please
just let's go ahead in order to get the number of RC bugs for Stretch down.

Adrian

-- 
 .''`.  John Paul Adrian Glaubitz
: :' :  Debian Developer - glaub...@debian.org
`. `'   Freie Universitaet Berlin - glaub...@physik.fu-berlin.de
  `-GPG: 62FF 8A75 84E0 2956 9546  0006 7426 3B37 F5B5 F913

Re: Bug#856004: khtml: please build-depen on libssl1.0-dev for Stretch

[Sebastian Andrzej Siewior]

On 2017-02-25 12:29:31 [-0300], Lisandro Damián Nicanor Pérez Meyer wrote:
> I think the issue here is if it will work or not at runtime. 

that is what I assume, correct.

> Sebastian: have you seen it crash due to this?

No. I assume that it might use QT's internal networking which is 1.0 and if
they mix then bad things will happen.
I sure that the following symbols are missing:
 RAND_egd
 NETSCAPE_X509_it
 X509_STORE_CTX_set_chain*
 sk_free*
 sk_num
 sk_pop
 sk_value
 sk_new
 sk_push
 sk_dup
 SSLv23_client_method

The two functions marked * have no error handling if the function is missing.
Not using SSLv23_client_method() means that the the user of this class has to
try again with TLSv1_client_method() member which will only allow a TLS1.0
handshake. This is not what you want because TLS1.0 itself is deprecated and
the v23 method would allow the maximum possible TLS level (which is currently
1.2).
For those reasons I think it is wise to migrate to libssl1.0-dev.

Sebastian

Re: Bug#856004: khtml: please build-depen on libssl1.0-dev for Stretch

[Lisandro Damián Nicanor Pérez Meyer]

On sábado, 25 de febrero de 2017 10:56:59 ART Scott Kitterman wrote:
> On Saturday, February 25, 2017 12:29:31 PM Lisandro Damián Nicanor Pérez
> Meyer
> wrote:
> > On sábado, 25 de febrero de 2017 14:03:31 ART John Paul Adrian Glaubitz
> 
> wrote:
> > > Hi Sebastian!
> > > 
> > > I just gave it a try and khtml builds fine as is.
> > > 
> > > Are there any additional tests you'd suggest for testing whether khtml
> > > works fine with libssl1.1? Attached is the build log of a successful
> > > test build of the current khtml package.
> > 
> > I think the issue here is if it will work or not at runtime.
> > 
> > Sebastian: have you seen it crash due to this?
> 
> Kf5 (including khtml) need to use the same version of openssl as Qt5, which
> is 1.0 for this cycle.  Whether crashes have been seen or not, trying to
> mix openssl 1.0 and 1.1 in the same stack seems foolhardy.

I agree with that.

-- 
Un viejo proverbio de El.Machi dice que la memoria es como
las papas fritas... ¡nunca sobran!

Lisandro Damián Nicanor Pérez Meyer
http://perezmeyer.com.ar/
http://perezmeyer.blogspot.com/


signature.asc
Description: This is a digitally signed message part.

Re: Bug#856004: khtml: please build-depen on libssl1.0-dev for Stretch

[John Paul Adrian Glaubitz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi!

On 02/25/2017 04:29 PM, Lisandro Damián Nicanor Pérez Meyer wrote:
> I think the issue here is if it will work or not at runtime.
> 
> Sebastian: have you seen it crash due to this?

So, looking at the reverse dependencies of khtml (libkf5khtml5), the
packages affected by such a crash would be:

 * khelpcenter
 * kio-extras
 * kiten
 * systemsettings

I have just rebuilt khtml against libssl1.1 and installed the package
on my laptop running Debian unstable. I'm an active KDE user and tried
to run the Help Center, Kiten and System Settings. I have not seen any
crashes so far.

So, I think we should downgrade the severity of the bug for the time
being and wait for more info from the original bug reporter.

Adrian

- -- 
 .''`.  John Paul Adrian Glaubitz
: :' :  Debian Developer - glaub...@debian.org
`. `'   Freie Universitaet Berlin - glaub...@physik.fu-berlin.de
  `-GPG: 62FF 8A75 84E0 2956 9546  0006 7426 3B37 F5B5 F913
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEYv+KdYTgKVaVRgAGdCY7N/W1+RMFAlixrtAACgkQdCY7N/W1
+RN/wRAAlnnNe3uRmdunihGmRvZxUyIAMKd2gQfbtfjwKQldKYnpiAtoky/ioYfF
5r+yQ4p4vstLMPoKsCXtbY4eNN+KLbcfASzPnPrcu8noHs5BWOwa1VpSlL9Cpvlq
lRDjzhKyLjSN/z8NULZ++8Wj5R3hZjox8r6b7tGJRy7XXAbbNMSx9G2JqZdvTRgW
yjWdbnbgGJE+1aFHqkymdSM/Mfl0mGO1wH8pMcHPTu2yYmVMhJWhgstzmcAisolN
5hKmifv6M4Ok9qYsC7z5J52LT0m8zccUxwKcOg5n/ABMDo2axAI1dFMyTksrYxOv
w9s7YkpWJycbLRiuYJha5pARRcEwjjIJRFc3geutZS/SSefZ4oAunm2tYnGpkTg3
s9p7E9fp1LneGPaS1ADE1yb2bdqtMAVoCBkPMPGuM0Z/DMztoD6gYkPJPA5qF3wS
5wEgwk/mG+2Ws7oA+W99gZmkmnI+SDq+wCrO0+lCv9JGgZaWc2MxoqfEGUFjcVTF
B/f/p2SmgKSrIUCRkSUT4AMda9oE8Zh+Xeq0MEGma7baU4wwqVH854EsJyfbanAk
+kci2xFZ/u5kE5HVDiS34QQ4UqXRukMosO1aqiJmqNuY506cIVEClLrlHzvrLtXE
paFMTrqXkm2uyS/RPglP1cFTY7rEKAQsQ1R6tO+GnQ0+8C55vWs=
=yK96
-END PGP SIGNATURE-

Bug#856004: khtml: please build-depen on libssl1.0-dev for Stretch

[Scott Kitterman]

On Saturday, February 25, 2017 12:29:31 PM Lisandro Damián Nicanor Pérez Meyer 
wrote:
> On sábado, 25 de febrero de 2017 14:03:31 ART John Paul Adrian Glaubitz 
wrote:
> > Hi Sebastian!
> > 
> > I just gave it a try and khtml builds fine as is.
> > 
> > Are there any additional tests you'd suggest for testing whether khtml
> > works fine with libssl1.1? Attached is the build log of a successful
> > test build of the current khtml package.
> 
> I think the issue here is if it will work or not at runtime.
> 
> Sebastian: have you seen it crash due to this?

Kf5 (including khtml) need to use the same version of openssl as Qt5, which is 
1.0 for this cycle.  Whether crashes have been seen or not, trying to mix 
openssl 1.0 and 1.1 in the same stack seems foolhardy.

Scott K

signature.asc
Description: This is a digitally signed message part.

Re: Bug#856004: khtml: please build-depen on libssl1.0-dev for Stretch

[Lisandro Damián Nicanor Pérez Meyer]

On sábado, 25 de febrero de 2017 14:03:31 ART John Paul Adrian Glaubitz wrote:
> Hi Sebastian!
> 
> I just gave it a try and khtml builds fine as is.
> 
> Are there any additional tests you'd suggest for testing whether khtml
> works fine with libssl1.1? Attached is the build log of a successful
> test build of the current khtml package.

I think the issue here is if it will work or not at runtime. 

Sebastian: have you seen it crash due to this?

-- 
Programming today is a race between software engineers striving to build
bigger and better idiot-proof programs, and the Universe trying to produce
bigger and better idiots. So far, the Universe is winning.
  Anonymous

Lisandro Damián Nicanor Pérez Meyer
http://perezmeyer.com.ar/
http://perezmeyer.blogspot.com/


signature.asc
Description: This is a digitally signed message part.

Bug#856004: khtml: please build-depen on libssl1.0-dev for Stretch

[John Paul Adrian Glaubitz]

Hi Sebastian!

I just gave it a try and khtml builds fine as is.

Are there any additional tests you'd suggest for testing whether khtml
works fine with libssl1.1? Attached is the build log of a successful
test build of the current khtml package.

Adrian

-- 
 .''`.  John Paul Adrian Glaubitz
: :' :  Debian Developer - glaub...@debian.org
`. `'   Freie Universitaet Berlin - glaub...@physik.fu-berlin.de
  `-GPG: 62FF 8A75 84E0 2956 9546  0006 7426 3B37 F5B5 F913


khtml_5.28.0-1_amd64.build.gz
Description: application/gzip

Bug#856004: khtml: please build-depen on libssl1.0-dev for Stretch

[Sebastian Andrzej Siewior]

Package: khtml
Version: 5.28.0-1
Severity: serious

khtml B-D on libssl-dev and has been built against it in the archive. I
am not entirely sure that this works. I doubt because QT itself uses
libssl1.0.2 and passing around SSL, SSL_CTX, BIO or any other struct is
a no no. Additionally some of the symbols, that khtml loads via
dlopen(), are no longer exported by libssl1.1.
Therefore I think it is best to change the B-D to
libssl1.0-dev | libssl-dev (<< 1.1)
for Stretch.

Sebastian