OpenSSH and OpenSSL snapshots

Booker C. Bense bbense at networking.stanford.edu
Wed Jan 23 03:27:59 EST 2002 

On Tue, 22 Jan 2002, Markus Friedl wrote:

> On Tue, Jan 22, 2002 at 09:55:03AM +0100, Lutz Jaenicke wrote:
> > On Tue, Jan 22, 2002 at 09:36:57AM +0100, Markus Friedl wrote:
> > > On Tue, Jan 22, 2002 at 01:24:49AM +0100, Lutz Jaenicke wrote:
> > > > >From OpenSSL's CHANGES file:
> > > >   +) Change all functions with names starting with des_ to be starting
> > > >      with DES_ instead.
> > >
> > > why do you break the old API? why is the old API not
> > > the default?
> > >
> > > why don't you call this	 openssl-1.x instead of you really
> > > have to break the API?
> >
> > It's one of the compromises we have to make. people complained about
> > severe problems when linking against other libraries also offering
> > DES functionality, so the namespace had to be cleaned up somehow.
>
> But why break binary compatibility for 99% of the
> users if 1% have problems with linking?

- From my perspective this is a really good thing. It would be one
thing if the OpenSSL folks had stayed with the original des
implmentation, but the changed the API without changing the symbols.
Basically, if you used openssl and any other api that used the
"standard" des library it was extremely difficult to get things
to compile.

- This is why you can't put MIT k4 or k5 support easily in openssh.
I think it's more than 1%, but even if it is 1% as one of that 1%,
I am highly appreciative of this move. They should have done this
in the first place, if the really had to twiddle with the des api.

>
> Why not provide an 'option' for for these 1%,
> that allows then to use the new API, e.g
> 	#define OPENSSL_NEW_DES_API
> 	#include <openssl/des.h>

- Well, in fact the "old" library is a new library that
never should have used the des_ symbol space to begin with.

>
> > With respect to the numbering scheme: "1.0" should be the first version
> > from which on we promise API _and_ binary compatibility.
>
> So the reason for not calling this 1.0 is that nobody cares about
> binary compatibility _NOW_.
>
> The problem is that OpenSSL _is_ used, so binary _and_ API
> compatibility should not be discarded.

- But, the problem is that from my perspective there is no
API compatibly currently. IMHO, this is the best way out of
a very bad situation. I'm sure the OpenSSL people will get
a lot of flack, but this is the right thing to do. That fact
that somebody was actually willing to do the right thing
against their own interests has done much for my faith in
open source.

- The api hasn't changed that much, a simple query-replace
with /des_/DES_/ should fix the src code tree once and for
all.

- Booker C. Bense

More information about the openssh-unix-dev mailing list