| 1 |
On Wed, Sep 30, 2015 at 3:29 PM, Anthony G. Basile <blueness@g.o> wrote: |
| 2 |
> |
| 3 |
> Yes you could use symbol versioning, and you can do the side by side by |
| 4 |
> renaming the library but that's a real pita for us since we'd have to hack |
| 5 |
> build systems to link against the correct library name. Ths should have |
| 6 |
> been done upstream. |
| 7 |
> |
| 8 |
|
| 9 |
Agree, though to be fair it was a failing in openssl before it was a |
| 10 |
failing in libressl: |
| 11 |
readelf -sW /usr/lib64/libssl.so | grep "@" |
| 12 |
(output: nothing that didn't come from glibc) |
| 13 |
|
| 14 |
> You'd have to name the libraries differently and you'd have to hack the |
| 15 |
> LDLFAGS to aim the build to the correct library. That, in my opinion, is |
| 16 |
> the killer to this idea. There is also the issue that some libc's like |
| 17 |
> uclibc don't do symbol versioning, but I would deal with that in other ways. |
| 18 |
|
| 19 |
++ There might be some solutions to automate this, but it would be a |
| 20 |
PITA. I think the better solution is to fix C itself. |
| 21 |
|
| 22 |
> |
| 23 |
> @rich0. Just a side comment. You said somewhere that maybe apache will |
| 24 |
> choose openssl and postfix libressl and then we'll be in trouble. No. The |
| 25 |
> incompatibility is at the abi not api level. So, for example, some struct |
| 26 |
> size might be different between the two because of internal implementation |
| 27 |
> details, but both should provide a definition of the same struct in their |
| 28 |
> header with the same members. ie. apache should compile against either |
| 29 |
> openssl or libressl and work, you just can't swap out your libssl without |
| 30 |
> recompiling apache which you could do if you had full api compat. |
| 31 |
|
| 32 |
I agree with this as long as both projects maintain API compatibility. |
| 33 |
Whether that happens remains to be seen. If openssl adds a new |
| 34 |
feature and libressl decides that is a "bad feature" or libressl adds |
| 35 |
a new feature and openssl doesn't have the manpower to keep up, or |
| 36 |
whatever, then we'll start seeing things break, and then everybody |
| 37 |
gets to pick sides. |
| 38 |
|
| 39 |
As may be happening with ffmpeg/libav I suspect that eventually one |
| 40 |
side or the other will become dominant, and at that point users will |
| 41 |
have a clean solution again. In the meantime they get to see WW3 |
| 42 |
unfurl on their desktops as they are forced to pick a side and decide |
| 43 |
which packages they want to install. I guess that would be a good |
| 44 |
time to plug containers again. (You know that symbol versioning is |
| 45 |
broken when the solution is basically to install a completely |
| 46 |
independent userspace for every process you run.) |
| 47 |
|
| 48 |
-- |
| 49 |
Rich |
Archives