[openssl-dev] version script patch from Debian

[Tom Kacvinsky]

On Thu, Jan 21, 2016 at 12:14 PM, Matt Caswell <matt at openssl.org> wrote:
>
>
>
> On 21/01/16 16:53, Tom Kacvinsky wrote:
> > I ran into this problem with the OpenSSL 1.0.1e I built from source on a
> > Debian based system (Ubuntu):
> >
> > libssl.so.1.0.0: no version information available (required by python)
> >
> > Found this page:
> >
> > http://ubuntuforums.org/showthread.php?t=1905963
> >
> > to work around the issue, but the question is, is the version script
> > they provide good enough for 1.0.1e?
>
> A few things spring to mind here. Firstly 1.0.1e is really old
> (pre-heartbleed) and really shouldn't be used. I'd suggest you upgrade
> to 1.0.2e if you can (or 1.0.1q if it has to be 1.0.1).


Unforuntately, this is a no can do right now.  We are using OpenSSL for
client code only (OpenSSL support in Qt) and are not in a position to
change right now.
>
>
> The simplest fix for this is to ensure that system installed
> applications always pick up the system installed libraries, and only use
> your locally compiled version for applications that need it.
>

Using locally compiled version for only our applications.

> The version script that debian provide should be fine generally, but
> there is always the risk of a mismatch, i.e. if there are symbols
> defined in your local version not in the version script. The link in the
> above thread is for precise which was based on 1.0.1 (not 1.0.1e) so if
> there were any symbols added between 1.0.1 and 1.0.1e then you would be
> missing those (generally new symbols are avoided in letter releases so
> there may not be any).

Only one missing symbol, the memcmp symbol.
>
> Finally, I'd point out that I recently added symbol version information
> (for linux) into the forthcoming 1.1.0, so in the future this
> (hopefully) won't be a problem.

Nice!  I bet Linux distribution maintainers will love this.