This is the mail archive of the cygwin-apps mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: HEADSUP maintainers: Change in openssl package requires change in setup.hint


Corinna Vinschen wrote on 2010-06-24:

On Jun 24 20:13, Matthias Andree wrote:
Corinna Vinschen wrote on 2010-06-24:
>I have no idea about this stuff. I'm maintaining openssl primarily
>since it's required for openssh. If there's anything which isn't
>fixed upstream, it won't be fixed for Cygwin. The Cygwin 1.0.0a-1
>package is from the vanilla sources. The 0.9.8 runtime libs will
>only be kept in place until all packages using it have been converted to
>1.0.0. I have no incentive to keep old runtime libs indefinitely.


Then please hold your horses.  Do it wrong and the upgrade breaks
OpenSSL on lots of installations.

And: if the upgrade isn't done properly, bug reports about this will
often be misfiled with the application programmers as regressions.
<http://www.fetchmail.info/fetchmail-FAQ.html#R14> and
<http://www.fetchmail.info/> bear testimonies of such misfilings :)

Here's the short scoop:

- OpenSSL 1.0.0 uses a different hash for /usr/ssl/certs than 0.9.8
did, so after the default ssl version is upgraded to 1.0.0, c_rehash
needs to be run on that directory.

Openssl does not come with any certificate and there's no certificate package in Cygwin either. AFAICS it would be sufficient to move to another ssl directory like, say, /usr/share/ssl instead of /usr/ssl. The user can copy and rehash any certificates manually, or install root certificates from scratch for 1.0.0.

I see you are taking this upgrade far too lightly.


You are *massively* underestimating the dangers and importance of this particular upgrade to 1.0.0 is.
It's very different from the 0.9.6->0.9.7->0.9.8 path which was barely noticable to users.


SSL in Cygwin has so far "just worked", users could install certs in the usual places and things would just work.
The 1.0.0 upgrade the way you are (not) planning it is going to break users' setups in spectacular ways, and create considerable astonishment and frustration.


Not shipping certs by default is no excuse for stomping over and breaking user setups.

If you change the ssldir to /usr/share, the postinstall script should move the contents from /usr/ssl to /usr/share/ssl.
At least users should be told there is manual intervention (move certs, rehash) required BEFORE they can proceed to installation.


For the rehashing issues, see my previous mail. This really should be done from postinstall, too, if the majority of packages moves to 1.0.0 at the same time.

For c_rehash, do consider my two patches, it will help.

This was my last unsolicited warning on this matter.

You have been warned.

--
Matthias Andree


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]