v2.2.26.0 released

Aki Tuomi aki.tuomi at dovecot.fi
Wed Nov 2 18:06:27 UTC 2016 


On 02.11.2016 19:54, Stuart Henderson wrote:
> On 2016-11-02, Aki Tuomi <aki.tuomi at dovecot.fi> wrote:
>> If the standard way works, I am happy to include the original patch I
>> sent, amended so that it checks for presence of LIBRESSL_VERSION_NUMBER.
>> If they keep this promise, then we should have no worries about things
>> breaking up.
> Diff below is what I've added to OpenBSD ports.
>
> The libressl API is not cast in stone, there's a possibility some
> functions from newer OpenSSL might be added - in fact we already have
> some like TLS_method. 0x20000000L was specifically chosen to not
> match up with anything OpenSSL had used because they aren't directly
> comparable.
>
> In general I think the best approach would be for feature checks, e.g.
> in autoconf. (I wish there was some common m4 file shared between
> projects that people could use for this..) In the absence of this,
> it seems a better idea to check at the places where #ifdefs are done
> rather than override OPENSSL_VERSION_NUMBER locally.
>
> I don't think carrying patches like this separately is all that good an
> idea - people may well compile things on their own and not know about
> the problem. If the build fails that's not so bad, but the silent
> miscompile we see here is pretty nasty.
>
>
>

Thank you for the patch.

My personal opinion is that it is also bit nasty to pretend to support 
some API/ABI but provide false version numbers.

https://wiki.openssl.org/index.php/1.1_API_Changes, this is what OpenSSL 
recommends to use for handling backwards compability with older 
versions. As you can see, it uses < test. Now you are claiming to be 
v2.0.0, which means that there is no reasonable way to use 
OPENSSL_VERSION to determine whether some particular feature is there or 
not.

Yes, we could test each function separately, but that would kinda beat 
the point of having a VERSION header in the first place, and also adds 
up for the ifdef hell by forcing us to check for each and every openssl 
function that has changed since 1.0.0 and use that particular ifdef.

It would've been, again in my opinion, to keep the VERSION in libressl 
to match with the API you are providing instead of choosing some 
abstract value that can will mess up with everyone's code. If you add 
features to your API from OpenSSL, you can update the version number to 
match with the API you provide.

Just my 0.02€.

Aki

More information about the dovecot mailing list