Why Fedora 10 still uses openssl pkg from 2007, 4 releases old?
Rick Stevens
ricks at nerd.com
Fri Jan 9 01:05:01 UTC 2009
Frantisek Hanzlik wrote:
> Rick Stevens wrote:
>> Frantisek Hanzlik wrote:
>>> After upgrading from F7 to F10 it's unable (for me, but on several
>>> sites)
>>> access to sendmail daemon with authenticated access by either TLS
>>> (port 25)
>>> or SSL (port 465) protocols from M$ Outlook (Express too). I still make
>>> on right description this issue, its look like some problem in
>>> certificate
>>> exchange.
>>> But no matter how it's related with, surprising for me is fact,
>>> that Fedora 10 uses openssl package version 0.9.8g released in 2007,
>>> while actual released version is 0.9.8j, four versions newer.
>>
>> If you check the source RPM's spec file, you'll see that most (if not
>> all) of the "j" patches have been backported to the "g" version. The
>> trick is that the "j" version bumps the .so for /lib[64]/libcrypto.so.7
>> and /lib[64]/libssl.so.7 from ".7" to ".8" and a lot of existing code
>> would break because they want .7. Hope that explains it for you.
>>
>> ----------------------------------------------------------------------
>> - Rick Stevens, Systems Engineer ricks at nerd.com -
>> - AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 -
>> - -
>> - If you're not part of the solution, you're part of the precipitate -
>> ----------------------------------------------------------------------
>
> Rick, thank for Your response.
> But - yes, I know just was released F10 openssl pkg 0.9.8g release 12,
> and I read it's changelog, thus I know what was backported to this.
>
> But I'm not agree about You these "lot of existing code would break
> because ..", as when I ask:
>
> rpm -q --whatrequires openssl
>
> tinyca2-0.7.5-4.fc10.noarch
> dovecot-1.1.7-1.fc10.i386
> openldap-servers-2.4.12-1.fc10.i386
> nash-6.0.71-3.fc10.i386
> NetworkManager-0.7.0-1.git20090102.fc10.i386
> sendmail-8.14.3-3.fc10.i386
> openssl-devel-0.9.8g-12.fc10.i386
> openssl-perl-0.9.8g-12.fc10.i386
>
> (and I have relative large system with packages from rpmfusion, dries,
> atrpms, planetccrma and others) - thus, I think, only packages
> depend on openssl are some little from Fedora own repository.
> I'm right?
Those are only the ones you have installed (rpm only queries your
installed packages). There are probably others in the repos (not sure
if yum can query for "list everything dependent on openssl"). On top
of that, you also have to consider people (such as myself) that don't
just install RPM-based packages, but have built them from source
tarballs and the like.
While the general rule is to simply link against the ".so" version of
a library, many packages specifically link against the ".so.(version)"
of the libraries to ensure they have specific APIs that may not exist in
earlier versions. Unfortunately there's no "link against .so.7 or
later" option in the linker (or if there is, it's not often used).
Thus, if you installed a libssl.so.8 and DIDN'T create (or replace) a
".so.7" symlink which points at the new .8 version to satisfy existing
packages (and remember, there are some F9 packages in F10), your code
won't run. That's why they backport the patches and ship a heavily
modified "g" version (which retains the .so.7) instead of a (newer)
"j" version (with the new .so.8).
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer ricks at nerd.com -
- AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 -
- -
- When in doubt, mumble. -
----------------------------------------------------------------------
More information about the fedora-list
mailing list