[openssl-users] Why 1.0.1 AND 1.0.2 ?

REIX, Tony tony.reix at atos.net
Mon Sep 26 15:26:24 UTC 2016 

Hi,

We (BullFreeware project: http://www.bullfreeware.com/) port OpenSSL on AIX, since ages.

Since BullFreeware is not a distro (we do not deliver packages built all-together, rather we deliver RPM packages than may stay un-updated during years), we maintain a compatibility with older versions by delivering several versions of .so files.


About OpenSSL, when delivering version 1.1.0(b), we also deliver older versions: 1.0.1(u) and 1.0.2(j), as .so files and mainly as .so included in .a archives. (Though all other packages make use of .a archives, the .so files are sometimes required, like by test programs directly loading .so files).

# rpm2cpio /opt/freeware/src/packages/RPMS/ppc/openssl-1.1.0b-1withsslv2.aix6.1.ppc.rpm | cpio -itv | grep "\.a"
-rw-r--r--   1 root     system   39232261 Sep 26 16:56 opt/freeware/lib/libcrypto.a
-rw-r--r--   1 root     system    7976472 Sep 26 16:56 opt/freeware/lib/libssl.a
# /usr/bin/ar -X32 -tv opt/freeware/lib/libcrypto.a
rwxr-xr-x     0/0     3564172 Sep 26 16:50 2016 libcrypto.so.1.1.0
rwxr-xr-x     0/0     2920785 Sep 26 16:53 2016 libcrypto.so.1.0.0
rwxr-xr-x     0/0     3486254 Sep 26 16:53 2016 libcrypto.so.1.0.1
rwxr-xr-x     0/0     3637981 Sep 26 16:53 2016 libcrypto.so.1.0.2
# /usr/bin/ar -X32 -tv opt/freeware/lib/libssl.a
rwxr-xr-x     0/0     764960 Sep 26 16:50 2016 libssl.so.1.1.0
rwxr-xr-x     0/0     571439 Sep 26 16:53 2016 libssl.so.1.0.0
rwxr-xr-x     0/0     672674 Sep 26 16:53 2016 libssl.so.1.0.1
rwxr-xr-x     0/0     798812 Sep 26 16:53 2016 libssl.so.1.0.2


However, out of more ABIs delivered by 1.0.2 compared to 1.0.1, I do not understand what is the exact difference between versions 1.0.1 and 1.0.2 .


I've reread the page: https://www.openssl.org/policies/releasestrat.html and that did not help me too much.

I've also found this page: https://abi-laboratory.pro/tracker/timeline/openssl/ . But it does make it much clearer.


I think that I have understood that the 1.0.0 series contains the 1.0.0, 1.0.1 and 1.0.2 versions.

And, since 1.0.0 version is no longer supported, end-users should move (should have already moved) to the most recent version.

However, why do you still (till end of 2016) deliver new versions for both 1.0.1 and 1.0.2 : why 1.0.1 is still alive in parallel with 1.0.2 ? How are they different (out of 1.0.2 delivering more ABIs than 1.0.1) ?

How 1.0.1 and 1.0.2 are different from 1.0.0 (out of 1.0.2 and 1.0.1 delivering more ABIs than 1.0.0) ?

Would it be sufficient to deliver 1.0.2 now, and no more 1.0.1 ?

Why an application would need or be required to stay with 1.0.1 and not move to 1.0.2 right now ?


Thanks

Tony

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160926/6deb173d/attachment-0001.html>

More information about the openssl-users mailing list