Package: openssl Version: 0.9.8-2 Severity: critical Justification: breaks unrelated software
OpenSSL does not version symbols. This means all applications that somehow end up linked to both openssl 0.9.7 and 0.9.8 segfault or behave otherwise erratically (which would be a critical bug by itself, as openssl is a data privacy/authentication framework with severe consequences for overall system security). Therefore, ANY new ABI-introducing version of openssl has to conflict with ALL **libraries** (not applications) that are linked against other openssl versions. Not doing so is just hiding the mess for the users to find out as segfaults. Transitions like this should be enforced by package dependencies, always. The whole deal is made even worse because some of the libraries linking to openssl are used by PAM modules and/or nssswitch modules, and thus dlopen()ed by a lot/potentially all applications in the system. The conflicts are quite messy, but unless either symbol versioning or another technique that avoids the symbol mess while linked is employed (weak symbols might do it, I think -- but symbol versioning is much easier to predict and understand), it is what must be done. -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (990, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.13.4-debian1+libata+bluesmoke+imq+lm85 Locale: LANG=pt_BR.ISO-8859-1, LC_CTYPE=pt_BR.ISO-8859-1 (charmap=ISO-8859-1) Versions of packages openssl depends on: ii libc6 2.3.5-6 GNU C Library: Shared libraries an ii libssl0.9.8 0.9.8-2 SSL shared libraries openssl recommends no packages. -- no debconf information -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]