Bug#863472: unblock: openssl/1.1.0f-1

2017-06-05 Thread Cyril Brulebois 
Kurt Roeckx  (2017-06-05):
> On Mon, Jun 05, 2017 at 11:33:57AM +0200, Cyril Brulebois wrote:
> > Kurt Roeckx  (2017-06-04):
> > > So I've uploaded openssl 1.1.0f-2
> > 
> > Source debdiff lgtm from -1, and installation over https works fine,
> > ACK.
> 
> So I actually have a new version I want to upload:
> Modified: openssl/branches/1.1.0/debian/changelog
> ===
> --- openssl/branches/1.1.0/debian/changelog 2017-06-04 17:21:11 UTC (rev 
> 903)
> +++ openssl/branches/1.1.0/debian/changelog 2017-06-05 09:42:35 UTC (rev 
> 904)
> @@ -1,3 +1,9 @@
> +openssl (1.1.0f-3) unstable; urgency=medium
> +
> +  * Don't cleanup a thread-local key we didn't create (Closes: #863707)
> +
> + -- Kurt Roeckx   Mon, 05 Jun 2017 11:40:42 +0200
> +
>  openssl (1.1.0f-2) unstable; urgency=medium
> 
>* Make the udeb use a versioned depends (Closes: #864080)

1.1.0f-3 (built locally from the source package fetched from incoming)
tested successfully with an https-based playbook: ack.


KiBi.


signature.asc
Description: Digital signature

Bug#863472: unblock: openssl/1.1.0f-1

2017-06-05 Thread Cyril Brulebois 
Kurt Roeckx  (2017-06-05):
> On Mon, Jun 05, 2017 at 11:33:57AM +0200, Cyril Brulebois wrote:
> > Kurt Roeckx  (2017-06-04):
> > > So I've uploaded openssl 1.1.0f-2
> > 
> > Source debdiff lgtm from -1, and installation over https works fine,
> > ACK.
> 
> So I actually have a new version I want to upload: […]

Please don't, let's process stuff that's already been tested and ACKed
before considering further changes…


KiBi.


signature.asc
Description: Digital signature

Bug#863472: unblock: openssl/1.1.0f-1

2017-06-05 Thread Kurt Roeckx 
On Mon, Jun 05, 2017 at 11:33:57AM +0200, Cyril Brulebois wrote:
> Kurt Roeckx  (2017-06-04):
> > So I've uploaded openssl 1.1.0f-2
> 
> Source debdiff lgtm from -1, and installation over https works fine,
> ACK.

So I actually have a new version I want to upload:
Modified: openssl/branches/1.1.0/debian/changelog
===
--- openssl/branches/1.1.0/debian/changelog 2017-06-04 17:21:11 UTC (rev 
903)
+++ openssl/branches/1.1.0/debian/changelog 2017-06-05 09:42:35 UTC (rev 
904)
@@ -1,3 +1,9 @@
+openssl (1.1.0f-3) unstable; urgency=medium
+
+  * Don't cleanup a thread-local key we didn't create (Closes: #863707)
+
+ -- Kurt Roeckx   Mon, 05 Jun 2017 11:40:42 +0200
+
 openssl (1.1.0f-2) unstable; urgency=medium

   * Make the udeb use a versioned depends (Closes: #864080)

Added: 
openssl/branches/1.1.0/debian/patches/0001-Only-release-thread-local-key-if-we-created-it.patch
===
--- 
openssl/branches/1.1.0/debian/patches/0001-Only-release-thread-local-key-if-we-created-it.patch
 (rev 0)
+++ 
openssl/branches/1.1.0/debian/patches/0001-Only-release-thread-local-key-if-we-created-it.patch
 2017-06-05 09:42:35 UTC (rev 904)
@@ -0,0 +1,47 @@
+From 73bc53708c386c1ea85941d345721e23dc61c05c Mon Sep 17 00:00:00 2001
+From: Rich Salz 
+Date: Wed, 31 May 2017 12:14:55 -0400
+Subject: [PATCH] Only release thread-local key if we created it.
+
+Thanks to Jan Alexander Steffens for finding the bug and confirming the
+fix.
+
+Reviewed-by: Richard Levitte 
+(Merged from https://github.com/openssl/openssl/pull/3592)
+---
+ crypto/err/err.c | 5 -
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/crypto/err/err.c b/crypto/err/err.c
+index f866f2fdd0..c55f849590 100644
+--- a/crypto/err/err.c
 b/crypto/err/err.c
+@@ -122,6 +122,7 @@ static ERR_STRING_DATA ERR_str_reasons[] = {
+ #endif
+
+ static CRYPTO_ONCE err_init = CRYPTO_ONCE_STATIC_INIT;
++static int set_err_thread_local;
+ static CRYPTO_THREAD_LOCAL err_thread_local;
+
+ static CRYPTO_ONCE err_string_init = CRYPTO_ONCE_STATIC_INIT;
+@@ -260,7 +261,8 @@ DEFINE_RUN_ONCE_STATIC(do_err_strings_init)
+
+ void err_cleanup(void)
+ {
+-CRYPTO_THREAD_cleanup_local(_thread_local);
++if (set_err_thread_local != 0)
++CRYPTO_THREAD_cleanup_local(_thread_local);
+ CRYPTO_THREAD_lock_free(err_string_lock);
+ err_string_lock = NULL;
+ }
+@@ -639,6 +641,7 @@ void ERR_remove_state(unsigned long pid)
+
+ DEFINE_RUN_ONCE_STATIC(err_do_init)
+ {
++set_err_thread_local = 1;
+ return CRYPTO_THREAD_init_local(_thread_local, NULL);
+ }
+
+--
+2.11.0
+

Modified: openssl/branches/1.1.0/debian/patches/series
===
--- openssl/branches/1.1.0/debian/patches/series2017-06-04 17:21:11 UTC 
(rev 903)
+++ openssl/branches/1.1.0/debian/patches/series2017-06-05 09:42:35 UTC 
(rev 904)
@@ -4,3 +4,4 @@
 pic.patch
 c_rehash-compat.patch
 #padlock_conf.patch
+0001-Only-release-thread-local-key-if-we-created-it.patch

Bug#863472: unblock: openssl/1.1.0f-1

2017-06-05 Thread Cyril Brulebois 
Kurt Roeckx  (2017-06-04):
> So I've uploaded openssl 1.1.0f-2

Source debdiff lgtm from -1, and installation over https works fine,
ACK.

> and openssl1.0 1.0.2l-2

Bare metal check with WPA is next on my todo list.


KiBi.


signature.asc
Description: Digital signature

Bug#863472: unblock: openssl/1.1.0f-1

2017-06-04 Thread Kurt Roeckx 
On Sun, Jun 04, 2017 at 06:53:29PM +0200, Cyril Brulebois wrote:
> Kurt Roeckx  (2017-06-04):
> > So I changed it this instead:
> > dh_makeshlibs -a -V --add-udeb="libcrypto1.1-udeb" -Xengines
> > 
> > the shlib files now looks like:
> > libcrypto 1.1 libssl1.1 (>= 1.1.0f)
> > libssl 1.1 libssl1.1 (>= 1.1.0f)
> > udeb: libcrypto 1.1 libcrypto1.1-udeb (>= 1.1.0f)
> > udeb: libssl 1.1 libssl1.1-udeb (>= 1.1.0f)
> > 
> > Since we have symbol files, this does not affect non-udeb
> > packages.
> 
> As discussed on IRC (#debian-devel), the earlier syntax (-V with a
> version) was fine, and more accurate as it only needs to be bumped
> when symbols change. However, using -V without a specific version
> should get us updated dependencies every time; they might be stricter
> than needed, but that's better than forgetting about bumping the
> version IMHO, so fine with me.

So I've uploaded openssl 1.1.0f-2 and openssl1.0 1.0.2l-2


Kurt

Bug#863472: unblock: openssl/1.1.0f-1

2017-06-04 Thread Cyril Brulebois 
Kurt Roeckx  (2017-06-04):
> So I changed it this instead:
>   dh_makeshlibs -a -V --add-udeb="libcrypto1.1-udeb" -Xengines
> 
> the shlib files now looks like:
> libcrypto 1.1 libssl1.1 (>= 1.1.0f)
> libssl 1.1 libssl1.1 (>= 1.1.0f)
> udeb: libcrypto 1.1 libcrypto1.1-udeb (>= 1.1.0f)
> udeb: libssl 1.1 libssl1.1-udeb (>= 1.1.0f)
> 
> Since we have symbol files, this does not affect non-udeb
> packages.

As discussed on IRC (#debian-devel), the earlier syntax (-V with a
version) was fine, and more accurate as it only needs to be bumped
when symbols change. However, using -V without a specific version
should get us updated dependencies every time; they might be stricter
than needed, but that's better than forgetting about bumping the
version IMHO, so fine with me.

Thanks.


KiBi.


signature.asc
Description: Digital signature

Bug#863472: unblock: openssl/1.1.0f-1

2017-06-04 Thread Kurt Roeckx 
On Sun, Jun 04, 2017 at 11:09:00AM +, Niels Thykier wrote:
> Kurt Roeckx:
> > [...]
> >>
> >> Maybe file this as an RC bug against openssl so that it isn't forgotten
> >> about, but ignore it for r0?
> > 
> > So I have prepared an update. Should I upload it?
> > 
> > [...]
> > 
> > 
> > Kurt
> > 
> 
> Ack from here, so if KiBi is ok with it, then please go ahead.

So I changed it this instead:
dh_makeshlibs -a -V --add-udeb="libcrypto1.1-udeb" -Xengines

the shlib files now looks like:
libcrypto 1.1 libssl1.1 (>= 1.1.0f)
libssl 1.1 libssl1.1 (>= 1.1.0f)
udeb: libcrypto 1.1 libcrypto1.1-udeb (>= 1.1.0f)
udeb: libssl 1.1 libssl1.1-udeb (>= 1.1.0f)

Since we have symbol files, this does not affect non-udeb
packages.


Kurt

Bug#863472: unblock: openssl/1.1.0f-1

2017-06-04 Thread Niels Thykier 
Kurt Roeckx:
> [...]
>>
>> Maybe file this as an RC bug against openssl so that it isn't forgotten
>> about, but ignore it for r0?
> 
> So I have prepared an update. Should I upload it?
> 
> [...]
> 
> 
> Kurt
> 

Ack from here, so if KiBi is ok with it, then please go ahead.

Thanks,
~Niels

Bug#863472: unblock: openssl/1.1.0f-1

2017-06-04 Thread Kurt Roeckx 
On Sun, Jun 04, 2017 at 05:29:21AM +0200, Cyril Brulebois wrote:
> Niels Thykier  (2017-06-03):
> > Kurt Roeckx:
> > > Package: release.debian.org
> > > User: release.debian@packages.debian.org
> > > Usertags: unblock
> > > Severity: normal
> > > 
> > > Hi,
> > > 
> > > I've uploaded a new upstream version of openssl that contains bug
> > > fixes. The Debian changelog says:
> > >* New upstream version
> > >  - Fix regression in req -x509 (Closes: #839575)
> > >  - Properly detect features on the AMD Ryzen processor
> > >(Closes: #861145)
> > >  - Don't mention -tls1_3 in the manpage (Closes: #859191)
> > >* Update libssl1.1.symbols for new symbols
> > >* Update man-section.patch
> > > 
> > > 
> > > Kurt
> > > 
> > 
> > Hi,
> > 
> > Fine by me.  CC'ing KiBi for a d-i ack assuming he is ok with this
> > last minute change.
> 
> Erm.
> 
> The libssl1.1-udeb package is broken, as it fails to depend on an
> appropriate version of libcrypto1.1-udeb, which means I've just
> successfully built a debian-installer against testing with this
> addition: build/localudebs/libssl1.1-udeb_1.1.0f-1_amd64.udeb
> and gotten a broken wget:
> | wget: /usr/lib/libcrypto.so.1.1: version `OPENSSL_1_1_0f' not found 
> (required by /usr/lib/libssl.so.1.1)
> 
> See the missing version here:
> | $ dpkg --info build/localudebs/libssl1.1-udeb_1.1.0f-1_amd64.udeb|grep 
> Depends:
> |  Depends: libc6-udeb (>= 2.24), libcrypto1.1-udeb
> 
> One could argue they're from the same source and that this isn't a
> practical problem since they're going to migrate at the same time and be
> used together in debian-installer, but further fun could come up when
> other packages start depending on particular symbols (hello wget), so I
> think I'd be nice to have this fixed.
> 
> Maybe file this as an RC bug against openssl so that it isn't forgotten
> about, but ignore it for r0?

So I have prepared an update. Should I upload it?

The source changes are:
--- openssl-1.1.0f/debian/changelog 2017-05-25 18:29:01.0 +0200
+++ openssl-1.1.0f/debian/changelog 2017-06-04 12:07:38.0 +0200
@@ -1,3 +1,10 @@
+openssl (1.1.0f-2) unstable; urgency=medium
+
+  * Make the udeb use a versioned depends (Closes: #864080)
+  * Conflict with libssl1.0-dev (Closes: #863367)
+
+ -- Kurt Roeckx   Sun, 04 Jun 2017 12:07:38 +0200
+
 openssl (1.1.0f-1) unstable; urgency=medium

   * New upstream version
diff -Nru openssl-1.1.0f/debian/control openssl-1.1.0f/debian/control
--- openssl-1.1.0f/debian/control   2017-01-26 23:19:08.0 +0100
+++ openssl-1.1.0f/debian/control   2017-06-04 12:07:33.0 +0200
@@ -72,6 +72,7 @@
 Multi-Arch: same
 Recommends: libssl-doc
 Depends: libssl1.1 (= ${binary:Version}), ${misc:Depends}
+Conflicts: libssl1.0-dev
 Description: Secure Sockets Layer toolkit - development files
  This package is part of the OpenSSL project's implementation of the SSL
  and TLS cryptographic protocols for secure communication over the
diff -Nru openssl-1.1.0f/debian/rules openssl-1.1.0f/debian/rules
--- openssl-1.1.0f/debian/rules 2017-05-25 18:17:29.0 +0200
+++ openssl-1.1.0f/debian/rules 2017-06-04 11:48:25.0 +0200
@@ -138,7 +138,7 @@

 override_dh_makeshlibs:
#dpkg-gensymbols -Pdebian/libssl1.1/ -plibssl1.1 -c4
-   dh_makeshlibs -a --add-udeb="libcrypto1.1-udeb" -Xengines
+   dh_makeshlibs -a --add-udeb="libcrypto1.1-udeb (>= 1.1.0f)" -Xengines
# XXX: This needs gets set perl:any by dh_perl which is correct, but
# that breaks debootstrap in jessie (the current stable). This hack
# could be removed once stretch is stable and contains a fixed

It changes the shlibs file from:
libcrypto 1.1 libssl1.1
libssl 1.1 libssl1.1
udeb: libcrypto 1.1 libcrypto1.1-udeb
udeb: libssl 1.1 libssl1.1-udeb

to:
libcrypto 1.1 libssl1.1
libssl 1.1 libssl1.1
udeb: libcrypto 1.1 libcrypto1.1-udeb (>= 1.1.0f)
udeb: libssl 1.1 libssl1.1-udeb (>= 1.1.0f)

It results in the following debdiff change on the binaries:
File lists identical (after any substitutions)

Control files of package libcrypto1.1-udeb: lines which differ (wdiff format)
-
Version: [-1.1.0f-1-] {+1.1.0f-2+}

Control files of package libssl-dev: lines which differ (wdiff format)
--
{+Conflicts: libssl1.0-dev+}
Depends: libssl1.1 (= [-1.1.0f-1)-] {+1.1.0f-2)+}
Version: [-1.1.0f-1-] {+1.1.0f-2+}

Control files of package libssl-doc: lines which differ (wdiff format)
--
Version: [-1.1.0f-1-] {+1.1.0f-2+}

Control files of package libssl1.1: lines which differ (wdiff format)
-
Version: [-1.1.0f-1-] {+1.1.0f-2+}

Control files of package libssl1.1-dbgsym: lines which differ (wdiff

Bug#863472: unblock: openssl/1.1.0f-1

2017-06-03 Thread Cyril Brulebois 
Niels Thykier  (2017-06-03):
> Kurt Roeckx:
> > Package: release.debian.org
> > User: release.debian@packages.debian.org
> > Usertags: unblock
> > Severity: normal
> > 
> > Hi,
> > 
> > I've uploaded a new upstream version of openssl that contains bug
> > fixes. The Debian changelog says:
> >* New upstream version
> >  - Fix regression in req -x509 (Closes: #839575)
> >  - Properly detect features on the AMD Ryzen processor
> >(Closes: #861145)
> >  - Don't mention -tls1_3 in the manpage (Closes: #859191)
> >* Update libssl1.1.symbols for new symbols
> >* Update man-section.patch
> > 
> > 
> > Kurt
> > 
> 
> Hi,
> 
> Fine by me.  CC'ing KiBi for a d-i ack assuming he is ok with this
> last minute change.

Erm.

The libssl1.1-udeb package is broken, as it fails to depend on an
appropriate version of libcrypto1.1-udeb, which means I've just
successfully built a debian-installer against testing with this
addition: build/localudebs/libssl1.1-udeb_1.1.0f-1_amd64.udeb
and gotten a broken wget:
| wget: /usr/lib/libcrypto.so.1.1: version `OPENSSL_1_1_0f' not found (required 
by /usr/lib/libssl.so.1.1)

See the missing version here:
| $ dpkg --info build/localudebs/libssl1.1-udeb_1.1.0f-1_amd64.udeb|grep 
Depends:
|  Depends: libc6-udeb (>= 2.24), libcrypto1.1-udeb

One could argue they're from the same source and that this isn't a
practical problem since they're going to migrate at the same time and be
used together in debian-installer, but further fun could come up when
other packages start depending on particular symbols (hello wget), so I
think I'd be nice to have this fixed.

Maybe file this as an RC bug against openssl so that it isn't forgotten
about, but ignore it for r0?


That being said, an installer built against both updated udebs seem to
work fine with regular http and https test cases, which is better news.

Awaiting RT comments before d-i ACK'ing this update.


KiBi.


signature.asc
Description: Digital signature

Bug#863472: unblock: openssl/1.1.0f-1

2017-06-03 Thread Niels Thykier 
Kurt Roeckx:
> Package: release.debian.org
> User: release.debian@packages.debian.org
> Usertags: unblock
> Severity: normal
> 
> Hi,
> 
> I've uploaded a new upstream version of openssl that contains bug
> fixes. The Debian changelog says:
>* New upstream version
>  - Fix regression in req -x509 (Closes: #839575)
>  - Properly detect features on the AMD Ryzen processor
>(Closes: #861145)
>  - Don't mention -tls1_3 in the manpage (Closes: #859191)
>* Update libssl1.1.symbols for new symbols
>* Update man-section.patch
> 
> 
> Kurt
> 

Hi,

Fine by me.  CC'ing KiBi for a d-i ack assuming he is ok with this last
minute change.

~Niels

Bug#863472: unblock: openssl/1.1.0f-1

2017-05-27 Thread Kurt Roeckx 
Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: unblock
Severity: normal

Hi,

I've uploaded a new upstream version of openssl that contains bug
fixes. The Debian changelog says:
   * New upstream version
 - Fix regression in req -x509 (Closes: #839575)
 - Properly detect features on the AMD Ryzen processor
   (Closes: #861145)
 - Don't mention -tls1_3 in the manpage (Closes: #859191)
   * Update libssl1.1.symbols for new symbols
   * Update man-section.patch


Kurt