HEADSUP maintainers: Change in openssl package requires change in setup.hint

Matthias Andree matthias.andree@gmx.de
Thu Jun 24 21:21:00 GMT 2010

Corinna Vinschen wrote on 2010-06-24:

> On Jun 24 20:13, Matthias Andree wrote:
>> Corinna Vinschen wrote on 2010-06-24:
>> >I have no idea about this stuff.  I'm maintaining openssl primarily
>> >since it's required for openssh.  If there's anything which isn't
>> >fixed upstream, it won't be fixed for Cygwin.  The Cygwin 1.0.0a-1
>> >package is from the vanilla sources.  The 0.9.8 runtime libs will
>> >only be kept in place until all packages using it have been converted  
>> to
>> >1.0.0.  I have no incentive to keep old runtime libs indefinitely.
>> Then please hold your horses.  Do it wrong and the upgrade breaks
>> OpenSSL on lots of installations.
>> And: if the upgrade isn't done properly, bug reports about this will
>> often be misfiled with the application programmers as regressions.
>> <http://www.fetchmail.info/fetchmail-FAQ.html#R14> and
>> <http://www.fetchmail.info/> bear testimonies of such misfilings :)
>> Here's the short scoop:
>> - OpenSSL 1.0.0 uses a different hash for /usr/ssl/certs than 0.9.8
>> did, so after the default ssl version is upgraded to 1.0.0, c_rehash
>> needs to be run on that directory.
> Openssl does not come with any certificate and there's no certificate
> package in Cygwin either.  AFAICS it would be sufficient to move to
> another ssl directory like, say, /usr/share/ssl instead of /usr/ssl.
> The user can copy and rehash any certificates manually, or install
> root certificates from scratch for 1.0.0.

I see you are taking this upgrade far too lightly.

You are *massively* underestimating the dangers and importance of this  
particular upgrade to 1.0.0 is.
It's very different from the 0.9.6->0.9.7->0.9.8 path which was barely  
noticable to users.

SSL in Cygwin has so far "just worked", users could install certs in the  
usual places and things would just work.
The 1.0.0 upgrade the way you are (not) planning it is going to break  
users' setups in spectacular ways, and create considerable astonishment  
and frustration.

Not shipping certs by default is no excuse for stomping over and breaking  
user setups.

If you change the ssldir to /usr/share, the postinstall script should move  
the contents from /usr/ssl to /usr/share/ssl.
At least users should be told there is manual intervention (move certs,  
rehash) required BEFORE they can proceed to installation.

For the rehashing issues, see my previous mail.  This really should be  
done from postinstall, too, if the majority of packages moves to 1.0.0 at  
the same time.

For c_rehash, do consider my two patches, it will help.

This was my last unsolicited warning on this matter.

You have been warned.

Matthias Andree

More information about the Cygwin-apps mailing list