Why Fedora 10 still uses openssl pkg from 2007, 4 releases old?

Fri Jan 9 08:55:44 UTC 2009

Rick Stevens wrote:
> Frantisek Hanzlik wrote:
>> Rick Stevens wrote:
>>> Frantisek Hanzlik wrote:
>>>> After upgrading from F7 to F10 it's unable (for me, but on several
>>>> sites)
>>>> access to sendmail daemon with authenticated access by either TLS
>>>> (port 25)
>>>> or SSL (port 465) protocols from M$ Outlook (Express too). I still make
>>>> on right description this issue, its look like some problem in
>>>> certificate
>>>> exchange.
>>>> But no matter how it's related with, surprising for me is fact,
>>>> that Fedora 10 uses openssl package version 0.9.8g released in 2007,
>>>> while actual released version is 0.9.8j, four versions newer.
>>>
>>> If you check the source RPM's spec file, you'll see that most (if not
>>> all) of the "j" patches have been backported to the "g" version. The
>>> trick is that the "j" version bumps the .so for /lib[64]/libcrypto.so.7
>>> and /lib[64]/libssl.so.7 from ".7" to ".8" and a lot of existing code
>>> would break because they want .7. Hope that explains it for you.
>>>
>>> ----------------------------------------------------------------------
>>> - Rick Stevens, Systems Engineer ricks at nerd.com -
>>> - AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 -
>>> - -
>>> - If you're not part of the solution, you're part of the precipitate -
>>> ----------------------------------------------------------------------
>>
>> Rick, thank for Your response.
>> But - yes, I know just was released F10 openssl pkg 0.9.8g release 12,
>> and I read it's changelog, thus I know what was backported to this.
>>
>> But I'm not agree about You these "lot of existing code would break
>> because ..", as when I ask:
>>
>> rpm -q --whatrequires openssl
>>
>> tinyca2-0.7.5-4.fc10.noarch
>> dovecot-1.1.7-1.fc10.i386
>> openldap-servers-2.4.12-1.fc10.i386
>> nash-6.0.71-3.fc10.i386
>> NetworkManager-0.7.0-1.git20090102.fc10.i386
>> sendmail-8.14.3-3.fc10.i386
>> openssl-devel-0.9.8g-12.fc10.i386
>> openssl-perl-0.9.8g-12.fc10.i386
>>
>> (and I have relative large system with packages from rpmfusion, dries,
>> atrpms, planetccrma and others) - thus, I think, only packages
>> depend on openssl are some little from Fedora own repository.
>> I'm right?
>
> Those are only the ones you have installed (rpm only queries your
> installed packages). There are probably others in the repos (not sure
> if yum can query for "list everything dependent on openssl"). On top
> of that, you also have to consider people (such as myself) that don't
> just install RPM-based packages, but have built them from source
> tarballs and the like.
>
> While the general rule is to simply link against the ".so" version of
> a library, many packages specifically link against the ".so.(version)"
> of the libraries to ensure they have specific APIs that may not exist in
> earlier versions. Unfortunately there's no "link against .so.7 or later"
> option in the linker (or if there is, it's not often used).
>
> Thus, if you installed a libssl.so.8 and DIDN'T create (or replace) a
> ".so.7" symlink which points at the new .8 version to satisfy existing
> packages (and remember, there are some F9 packages in F10), your code
> won't run. That's why they backport the patches and ship a heavily
> modified "g" version (which retains the .so.7) instead of a (newer)
> "j" version (with the new .so.8).
> ----------------------------------------------------------------------
> - Rick Stevens, Systems Engineer ricks at nerd.com -
> - AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 -
> - -
> - When in doubt, mumble. -
> ----------------------------------------------------------------------
>
You are right, there is perhaps lots more packages depended on openssl,
what rpm isn't able list.

But yet - IMHO create symlink ".so.7" to new ".so.8" is I think very
simple, and may be done with little patch in openssl Makefile, or in
RPM install script - energy to maintain and backport bugfixes to old
code must be much greater and probably isn't real maintain it over
and over again.

Frantisek Hanzlík