OpenSSH and OpenSSL snapshots

Theo de Raadt deraadt at cvs.openbsd.org
Wed Jan 23 11:42:56 EST 2002


You have no idea how wrong you are.  You want us ot #ifdef openssh?
We will not.  Instead, we will make it workwith one openssl version on.
For now, we willl choose the old, and not move to the new for ... lemme see..
shall I say 4 years?

> Return-Path: bbense at shred.stanford.edu
> Delivery-Date: Tue Jan 22 09:35:46 2002
> Received: from openbsd.cs.colorado.edu (openbsd.cs.colorado.edu [128.138.192.83])
> 	by cvs.openbsd.org (8.12.1/8.12.1) with ESMTP id g0MGXA3J032556
> 	(version=TLSv1/SSLv3 cipher=EDH-DSS-DES-CBC3-SHA bits=168 verify=FAIL)
> 	for <openssh at cvs.openbsd.org>; Tue, 22 Jan 2002 09:33:11 -0700 (MST)
> Received: from shred.stanford.edu (shred.Stanford.EDU [171.64.13.91])
> 	by openbsd.cs.colorado.edu (8.12.2/8.12.2) with ESMTP id g0MGS5mZ000937
> 	for <openssh at openbsd.org>; Tue, 22 Jan 2002 09:28:05 -0700 (MST)
> Received: from localhost (bbense at localhost)
> 	by shred.stanford.edu (8.11.6.Beta0/8.10.0.PreAlpha1) with ESMTP id g0MGRx909841;
> 	Tue, 22 Jan 2002 08:27:59 -0800 (PST)
> Date: Tue, 22 Jan 2002 08:27:59 -0800 (PST)
> From: "Booker C. Bense" <bbense at networking.stanford.edu>
> To: Markus Friedl <openssh at openbsd.org>
> cc: "'openssh-unix-dev at mindrot.org'" <openssh-unix-dev at mindrot.org>
> Subject: Re: OpenSSH and OpenSSL snapshots
> In-Reply-To: <20020122091641.GA16010 at faui02>
> Message-ID: <Pine.GSO.4.43.0201220811260.9728-100000 at shred.stanford.edu>
> MIME-Version: 1.0
> Content-Type: TEXT/PLAIN; charset=US-ASCII
> 
> On Tue, 22 Jan 2002, Markus Friedl wrote:
> 
> > On Tue, Jan 22, 2002 at 09:55:03AM +0100, Lutz Jaenicke wrote:
> > > On Tue, Jan 22, 2002 at 09:36:57AM +0100, Markus Friedl wrote:
> > > > On Tue, Jan 22, 2002 at 01:24:49AM +0100, Lutz Jaenicke wrote:
> > > > > >From OpenSSL's CHANGES file:
> > > > >   +) Change all functions with names starting with des_ to be starting
> > > > >      with DES_ instead.
> > > >
> > > > why do you break the old API? why is the old API not
> > > > the default?
> > > >
> > > > why don't you call this	 openssl-1.x instead of you really
> > > > have to break the API?
> > >
> > > It's one of the compromises we have to make. people complained about
> > > severe problems when linking against other libraries also offering
> > > DES functionality, so the namespace had to be cleaned up somehow.
> >
> > But why break binary compatibility for 99% of the
> > users if 1% have problems with linking?
> 
> - From my perspective this is a really good thing. It would be one
> thing if the OpenSSL folks had stayed with the original des
> implmentation, but the changed the API without changing the symbols.
> Basically, if you used openssl and any other api that used the
> "standard" des library it was extremely difficult to get things
> to compile.
> 
> - This is why you can't put MIT k4 or k5 support easily in openssh.
> I think it's more than 1%, but even if it is 1% as one of that 1%,
> I am highly appreciative of this move. They should have done this
> in the first place, if the really had to twiddle with the des api.
> 
> >
> > Why not provide an 'option' for for these 1%,
> > that allows then to use the new API, e.g
> > 	#define OPENSSL_NEW_DES_API
> > 	#include <openssl/des.h>
> 
> - Well, in fact the "old" library is a new library that
> never should have used the des_ symbol space to begin with.
> 
> >
> > > With respect to the numbering scheme: "1.0" should be the first version
> > > from which on we promise API _and_ binary compatibility.
> >
> > So the reason for not calling this 1.0 is that nobody cares about
> > binary compatibility _NOW_.
> >
> > The problem is that OpenSSL _is_ used, so binary _and_ API
> > compatibility should not be discarded.
> 
> - But, the problem is that from my perspective there is no
> API compatibly currently. IMHO, this is the best way out of
> a very bad situation. I'm sure the OpenSSL people will get
> a lot of flack, but this is the right thing to do. That fact
> that somebody was actually willing to do the right thing
> against their own interests has done much for my faith in
> open source.
> 
> - The api hasn't changed that much, a simple query-replace
> with /des_/DES_/ should fix the src code tree once and for
> all.
> 
> - Booker C. Bense
> 




More information about the openssh-unix-dev mailing list