Fwd: [.] ssl update needs rebuilds

Steffen Nurpmeso steffen at sdaoden.eu
Sun Jun 9 00:03:15 UTC 2024


Hello.

non-grata posting, but i think a fix would be a widely appreciated
clarification.  I think noloader is on this list, so i do not bcc
him.

--- Forwarded from Steffen Nurpmeso <steffen at sdaoden.eu> ---
Date: Sun, 09 Jun 2024 01:58:54 +0200
Author: Steffen Nurpmeso <steffen at sdaoden.eu>
..
 |>|>   Jun  7 23:41:16 outwall/smtpd[19222]: warning: run-time library \
 |>|>   vs. compile-time header version mismatch: OpenSSL 3.3.0 may not \
 |>|>   be compatible with OpenSSL 3.2.0
 |>  ...
 |>|[.] OpenSSL 3.2.0 and 3.3.0
 |>|are ABI and API compatible. I would not expect to see a warning or
 |>|error. See <https://www.openssl.org/policies/general/versioning-policy.h\
 |>|tml>.
 |
 |Some irrelevant background: that document covers OpenSSL 3.0 and
 |later (earlier releases use a different versioning scheme).
 |
 |>|From the document under Minor Release:
 |>|
 |>|    A minor release is indicated by changing the second number of the
 |>|    version. A minor release can, and generally will, introduce new
 |>|    features. However both the API and ABI will be preserved.
 |
 |That same document says under "Patch release":
 |
 |    A patch release is indicated by changing the final number of
 |    the version. A patch release will only contain bug and security
 |    fixes. Both the API and ABI will remain compatible across patch
 |    releases.
 |
 |Note that only the text for "Patch release" promises that the "Both
 |the API and ABI will remain compatible".

Hm, you have read the page, and i think Jeffrey is right in noting
that, effectively, the [.] log message is technically false.

However i also think the OpenSSL page is very confusing, as you
correctly point out, since

  For example, a program built with OpenSSL release 3.0.1 will be
  able to run with OpenSSL 3.1.0 but might not be able to take
  advantage of new features without modification.

how could a program compiled for 3.0.1 use features at all which
were introduced with a later minor version.
Btw they also say it *could* happen also here, with the same
"Exceptions to these rules require a vote by the OMC." clause they
use for API/ABI breakage for minor releases.

  ...
 |> [.] I must say, out of my head i have no idea
 |> whether it has always been like that for minor releases for one,
 |> and whether that is also true for LibreSSL, and the other SSL
 |> libraries that [.] possibly works with.  And [.] did
 |> use LibreSSL for some time in the past.
 ...
 -- End forward <20240608235854.g9q49DTf at steffen%sdaoden.eu>

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)


More information about the openssl-users mailing list