[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Why Fedora 10 still uses openssl pkg from 2007, 4 releases old?

Frantisek Hanzlik wrote:
Rick Stevens wrote:
Frantisek Hanzlik wrote:
After upgrading from F7 to F10 it's unable (for me, but on several sites)
access to sendmail daemon with authenticated access by either TLS
(port 25)
or SSL (port 465) protocols from M$ Outlook (Express too). I still make
on right description this issue, its look like some problem in
But no matter how it's related with, surprising for me is fact,
that Fedora 10 uses openssl package version 0.9.8g released in 2007,
while actual released version is 0.9.8j, four versions newer.

If you check the source RPM's spec file, you'll see that most (if not
all) of the "j" patches have been backported to the "g" version. The
trick is that the "j" version bumps the .so for /lib[64]/libcrypto.so.7
and /lib[64]/libssl.so.7 from ".7" to ".8" and a lot of existing code
would break because they want .7. Hope that explains it for you.

- Rick Stevens, Systems Engineer ricks nerd com -
- AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 -
- -
- If you're not part of the solution, you're part of the precipitate -

Rick, thank for Your response.
But - yes, I know just was released F10 openssl pkg 0.9.8g release 12,
and I read it's changelog, thus I know what was backported to this.

But I'm not agree about You these "lot of existing code would break
 because ..", as when I ask:

rpm -q --whatrequires openssl


(and I have relative large system with packages from rpmfusion, dries,
atrpms, planetccrma and others) - thus, I think, only packages
depend on openssl are some little from Fedora own repository.
I'm right?

Those are only the ones you have installed (rpm only queries your
installed packages).  There are probably others in the repos (not sure
if yum can query for "list everything dependent on openssl").  On top
of that, you also have to consider people (such as myself) that don't
just install RPM-based packages, but have built them from source
tarballs and the like.

While the general rule is to simply link against the ".so" version of
a library, many packages specifically link against the ".so.(version)"
of the libraries to ensure they have specific APIs that may not exist in
earlier versions. Unfortunately there's no "link against .so.7 or later" option in the linker (or if there is, it's not often used).

Thus, if you installed a libssl.so.8 and DIDN'T create (or replace) a
".so.7" symlink which points at the new .8 version to satisfy existing
packages (and remember, there are some F9 packages in F10), your code
won't run.  That's why they backport the patches and ship a heavily
modified "g" version (which retains the .so.7) instead of a (newer)
"j" version (with the new .so.8).
- Rick Stevens, Systems Engineer                      ricks nerd com -
- AIM/Skype: therps2        ICQ: 22643734            Yahoo: origrps2 -
-                                                                    -
-                       When in doubt, mumble.                       -

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]