openssl-1.0.0a - my upgrade plans

Ken Moffat ken at linuxfromscratch.org
Wed Nov 10 16:55:44 PST 2010


 I'm planning to upgrade openssl to 1.0.0a, maybe next week, maybe
a bit later than that.  I've built almost everything that the book
says can use openssl, and checked that it actually linked to it
(several packages needed switches for this).  Even for those
packages that are part of my normal build, I don't necessarily
*use* the openssl functionality, but 1.0.0a is now old enough for
many distros to use it, so packages with an active upstream ought
to work.


 I haven't tested the following build with this:

bug-buddy - I'm not installing all the deps for this, but it is part
 of gnome so I'm sure it will work fine with current openssl.

gnupg-1.4.9 - this doesn't actually link to openssl unless kerberos
 is used, so although I did build it I've proved nothing.

kde3 - I think breakage in kde3 is possible with a newer openssl,
 but I don't know if it still builds with a current toolchain.
 Anyone using trinity apparently has to install an older autoconf,
 so they can install an older openssl outside /usr if needed.

qpopper - (see previous thread).


 Built, tested but without success:

w3m - I tried to use it to login to gmail, but it didn't like the
 redirect - unclear if the login succeeded or not.  Distros such
 as fedora and gentoo pass a --with-browser= switch to make it
 use something else (e.g. part of gnome) and don't make it depend
 on openssl.  If it is broken, I don't think that's a big deal,
 lynx and links are nicer and do work with openssl-1.0.0a.


 Needed patching to build:

mailx-12.4 - the patch is in -patches.


 The following needed version upgrades to build on LFS-6.7, the
newer openssl wasn't an issue (buildable versions listed):

balsa-2.4.8 (newer version to build with gmime-2.4)

LPRng-3.8.A

vsftpd-2.3.2

wireshark-1.4.1 (I built this with libpcap-1.1.1 to get a shared
libpcap.so)

xchat-2.8.8 (newer version for recent gtk+-2)


 The following will need to be upgraded:

heimdal - the 1.3 series fail to build because an openssl header
has moved.  1.4 builds.  I don't plan to upgrade this, it needs
someone with experience of kerberos.

mutt - needs to be upgraded to 1.5.21 to build with the newer
openssl.

postgresql (based on the earlier ticket for 1.0.0 where a pg prog
caused the apache build to fail, I used 9.0.0.  That version has
a vulnerability, so I'll be updating my testbox to 9.0.1 before
I update the book for openssl.)  I used httpd-2.2.16 with this.
I later tried the book's current version of httpd on a different
box without postgres or mysql, and it built ok so no urgency to
update httpd.

ruby - needs to be updated to 1.9.2 to build with the newer openssl.


Planned action:

0. lots of other non-BLFS things to do before I get round to this,
 also the ghostscript tickets, so who knows when I'll start...

1. upgrade openssl
  add patch for mailx
  add comment para in heimdal telling people to use 1.4 with
  openssl-1.0.0a until the book is updated

2. upgrade postgresql

3. upgrade mutt, unless someone else wants to take this (I use it,
but only on my server which is still running an *old* system).

4. upgrade ruby - seems a simple version change

5. upgrade httpd unless anyone else takes it.  ISTR there are some
vulnerability fixes in the newer version.

ĸen
-- 
das eine Mal als Tragödie, das andere Mal als Farce



More information about the blfs-dev mailing list