Debian Bug report logs -
#856569
open-vm-tools: Depend on either libssl1.0-dev or libssl-dev
Reported by: Tiago Stürmer Daitx <tiago.daitx@canonical.com>
Date: Thu, 2 Mar 2017 15:15:01 UTC
Severity: wishlist
Found in version 10.1.5-5055683
Fixed in version open-vm-tools/2:10.1.5-5055683-2
Done: Bernd Zeimetz <bzed@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, tiago.daitx@canonical.com, Bernd Zeimetz <bzed@debian.org>:
Bug#856569; Package open-vm-tools.
(Thu, 02 Mar 2017 15:15:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Tiago Stürmer Daitx <tiago.daitx@canonical.com>:
New Bug report received and forwarded. Copy sent to tiago.daitx@canonical.com, Bernd Zeimetz <bzed@debian.org>.
(Thu, 02 Mar 2017 15:15:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: open-vm-tools
Version: 10.1.5-5055683
Severity: wishlist
Dear Maintainer,
Please consider improving Build-depends to accept either
libssl1.0-dev or libssl-dev as that will make backporting easier.
The dependency changed from libssl-dev to libssl1.0-dev due to
bug 828476 (ie. open-vm-tools can't be built with openssl 1.1).
Still, series that don't have libssl1.0-dev have libssl-dev
on 1.0 (confirmed for both Debian and Ubuntu).
Please condider the following debdiff:
--- debian/control.orig 2017-03-02 12:02:25.125780791 -0300
+++ debian/control 2017-03-02 11:47:40.200894481 -0300
@@ -8,7 +8,7 @@
libdumbnet-dev, libfuse-dev, libgtk2.0-dev, libgtkmm-2.4-dev,
libicu-dev, libnotify-dev, libpam0g-dev, libprocps-dev, libx11-dev,
libxinerama-dev, libxss-dev, libxtst-dev, dh-autoreconf, dh-systemd,
- libmspack-dev, libssl1.0-dev, libxerces-c-dev, libxml-security-c-dev
+ libmspack-dev, libssl1.0-dev | libssl-dev, libxerces-c-dev, libxml-security-c-dev
Standards-Version: 3.9.6
Homepage: https://github.com/vmware/open-vm-tools
Vcs-Git: https://github.com/bzed/pkg-open-vm-tools.git
Thanks!
Tiago
-- System Information:
Debian Release: stretch/sid
APT prefers xenial-updates
APT policy: (500, 'xenial-updates'), (500, 'xenial-security'), (500, 'xenial'), (400, 'xenial-proposed'), (100, 'xenial-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.8.0-34-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Information forwarded
to debian-bugs-dist@lists.debian.org, Bernd Zeimetz <bzed@debian.org>:
Bug#856569; Package open-vm-tools.
(Thu, 02 Mar 2017 20:45:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Bernd Zeimetz <bernd@bzed.de>:
Extra info received and forwarded to list. Copy sent to Bernd Zeimetz <bzed@debian.org>.
(Thu, 02 Mar 2017 20:45:06 GMT) (full text, mbox, link).
Message #10 received at 856569@bugs.debian.org (full text, mbox, reply):
Hi Tiago,
> Please consider improving Build-depends to accept either
> libssl1.0-dev or libssl-dev as that will make backporting easier.
I'm not sure how Ubuntu handles these things, but in Debian the
autobuilders only consider the first alternative of build dependencies
to keep a build reproducible - so if you have A | B as build-dep, they
will always use A.
I'm backporting the package to jessie and wheezy and you can find these
sources in my git repository, too. Especially for wheezy there are some
extra changes necessary.
Also a backport in the current state won't make upstream happy as the
cgauth service won't be started. For jessie I might depend on systemd,
but for older distributions an init script is necessary.
btw, regarding the ubuntu package - its nice, that it is just taking my
packaging these days - but why do you guys still build without
xmlsecurity and xerces?
Cheers,
Bernd
--
Bernd Zeimetz Debian GNU/Linux Developer
http://bzed.de http://www.debian.org
GPG Fingerprint: ECA1 E3F2 8E11 2432 D485 DD95 EB36 171A 6FF9 435F
Information forwarded
to debian-bugs-dist@lists.debian.org, Bernd Zeimetz <bzed@debian.org>:
Bug#856569; Package open-vm-tools.
(Thu, 02 Mar 2017 21:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Tiago Daitx <tiago.daitx@canonical.com>:
Extra info received and forwarded to list. Copy sent to Bernd Zeimetz <bzed@debian.org>.
(Thu, 02 Mar 2017 21:27:04 GMT) (full text, mbox, link).
Message #15 received at 856569@bugs.debian.org (full text, mbox, reply):
Hi Bernd,
Thank you for the quick reply. =)
On Thu, Mar 2, 2017 at 5:42 PM, Bernd Zeimetz <bernd@bzed.de> wrote:
> Hi Tiago,
>
>> Please consider improving Build-depends to accept either
>> libssl1.0-dev or libssl-dev as that will make backporting easier.
>
> I'm not sure how Ubuntu handles these things, but in Debian the
> autobuilders only consider the first alternative of build dependencies
> to keep a build reproducible - so if you have A | B as build-dep, they
> will always use A.
If A is not available then the builds will then try B, C, ... .
I did the a test build for Yakkety - which does not have libssl1.0-dev
(A) - and it picked libssl-dev (B) instead. On Zesty (our dev version)
the builders use libssl1.0-dev at that is available.
> I'm backporting the package to jessie and wheezy and you can find these
> sources in my git repository, too. Especially for wheezy there are some
> extra changes necessary.
Thanks for letting us know, should we need to backport this will
probably come in hand. =)
> Also a backport in the current state won't make upstream happy as the
> cgauth service won't be started. For jessie I might depend on systemd,
> but for older distributions an init script is necessary.
>
> btw, regarding the ubuntu package - its nice, that it is just taking my
> packaging these days - but why do you guys still build without
> xmlsecurity and xerces?
This is caused by the separation we have between Main and Universe.
Main is the stuff that is guaranteed to have security updates and all,
Universe not much so - there are other differences, but security is
what matters most in this case.
open-vm-tools is in Ubuntu Main archive, but xml-security-c and xerces
are in Universe. If they were only required for building it would be
fine, we have been allowed since Xenial to have packages in Main with
a Build-Depend on packages on Universe. The problem is that both
xml-security-c and xerces are also runtime dependencies, so a package
in Main can't have those [1]. To depend on those would require them to
be moved to Main, which didn't happen [2].
What I did, based on suggestions, was to build and test against
xmlsec1, which is in Main and accepted by open-vm-tools's configure.
The build turned out fine. I haven't done some real testing on it, I'm
now waiting for other folks to look into that if they have the time.
Is there a reason why Debian prefers xmlsecurity and xerces instead of
xmlsec1? If it were to depend on xmlsec1 then Ubuntu would be able to
use the exact same package. I'm not familiar with the functionality in
and security of open-vm-tools, xmlsecurity, xerces, and xmlsec1, so I
really have no idea what difference that would do.
Many thanks!
[1] https://lists.ubuntu.com/archives/ubuntu-devel-announce/2016-April/001179.html
[2] https://bugs.launchpad.net/ubuntu/+source/xml-security-c/+bug/1482777
--
Tiago Stürmer Daitx
Software Engineer
tiago.daitx@canonical.com
PGP Key: 4096R/F5B213BE (hkp://keyserver.ubuntu.com)
Fingerprint = 45D0 FE5A 8109 1E91 866E 8CA4 1931 8D5E F5B2 13BE
Added tag(s) pending.
Request was from Bernd Zeimetz <bzed@debian.org>
to control@bugs.debian.org.
(Thu, 02 Mar 2017 21:39:08 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Bernd Zeimetz <bzed@debian.org>:
Bug#856569; Package open-vm-tools.
(Thu, 02 Mar 2017 22:42:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Bernd Zeimetz <bernd@bzed.de>:
Extra info received and forwarded to list. Copy sent to Bernd Zeimetz <bzed@debian.org>.
(Thu, 02 Mar 2017 22:42:04 GMT) (full text, mbox, link).
Message #22 received at 856569@bugs.debian.org (full text, mbox, reply):
Hi Tiago,
>> I'm not sure how Ubuntu handles these things, but in Debian the
>> autobuilders only consider the first alternative of build dependencies
>> to keep a build reproducible - so if you have A | B as build-dep, they
>> will always use A.
>
> If A is not available then the builds will then try B, C, ... .
>
> I did the a test build for Yakkety - which does not have libssl1.0-dev
> (A) - and it picked libssl-dev (B) instead. On Zesty (our dev version)
> the builders use libssl1.0-dev at that is available.
interesting. Makes things easier for you, of course.
https://github.com/bzed/pkg-open-vm-tools/commit/ed95c1d1f23c9982ba997ca05bae0d86d1505162
> [...]
>
>> btw, regarding the ubuntu package - its nice, that it is just taking my
>> packaging these days - but why do you guys still build without
>> xmlsecurity and xerces?
>
> [...]
> What I did, based on suggestions, was to build and test against
> xmlsec1, which is in Main and accepted by open-vm-tools's configure.
> The build turned out fine. I haven't done some real testing on it, I'm
> now waiting for other folks to look into that if they have the time.
I'll ask upstream about it, but if configure accepts it, I'd guess its fine.
> Is there a reason why Debian prefers xmlsecurity and xerces instead of
> xmlsec1? If it were to depend on xmlsec1 then Ubuntu would be able to
> use the exact same package. I'm not familiar with the functionality in
> and security of open-vm-tools, xmlsecurity, xerces, and xmlsec1, so I
> really have no idea what difference that would do.
Mainly because when open-vm-tools started to require xmlsecurity/xerces
at some point and I didn't even realize that there was an alternative
now. Which is a bit annoying as it might build with libssl 1.1 then. But
I don't want to change it for stretch anymore, I think.
Thanks for figuring out!
Cheers,
Bernd
--
Bernd Zeimetz Debian GNU/Linux Developer
http://bzed.de http://www.debian.org
GPG Fingerprint: ECA1 E3F2 8E11 2432 D485 DD95 EB36 171A 6FF9 435F
Reply sent
to Bernd Zeimetz <bzed@debian.org>:
You have taken responsibility.
(Thu, 23 Mar 2017 09:06:10 GMT) (full text, mbox, link).
Notification sent
to Tiago Stürmer Daitx <tiago.daitx@canonical.com>:
Bug acknowledged by developer.
(Thu, 23 Mar 2017 09:06:11 GMT) (full text, mbox, link).
Message #27 received at 856569-close@bugs.debian.org (full text, mbox, reply):
Source: open-vm-tools
Source-Version: 2:10.1.5-5055683-2
We believe that the bug you reported is fixed in the latest version of
open-vm-tools, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 856569@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bernd Zeimetz <bzed@debian.org> (supplier of updated open-vm-tools package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 23 Mar 2017 09:35:16 +0100
Source: open-vm-tools
Binary: open-vm-tools open-vm-tools-desktop open-vm-tools-dev open-vm-tools-dkms
Architecture: source amd64 all
Version: 2:10.1.5-5055683-2
Distribution: unstable
Urgency: medium
Maintainer: Bernd Zeimetz <bzed@debian.org>
Changed-By: Bernd Zeimetz <bzed@debian.org>
Description:
open-vm-tools - Open VMware Tools for virtual machines hosted on VMware (CLI)
open-vm-tools-desktop - Open VMware Tools for virtual machines hosted on VMware (GUI)
open-vm-tools-dev - Open VMware Tools for virtual machines hosted on VMware (developm
open-vm-tools-dkms - Open VMware Tools vmxnet kernel module (deprecated)
Closes: 856569 858494
Changes:
open-vm-tools (2:10.1.5-5055683-2) unstable; urgency=medium
.
* [651cdfe] Depend on iproute2.
Necessary for /etc/vmware-tools/scripts/vmware/network.
* [ed95c1d] Depend on libssl1.0-dev | libssl-dev.
Thanks to Tiago Daitx (Closes: #856569)
Makes building the package in Ubuntu easier.
* [2750700] Add o-v-t as dependency of o-v-t-dev.
Thanks to Andreas Beckmann (Closes: #858494)
Checksums-Sha1:
af83e666b7ac998f6478061df55b5576f33ef0d8 2502 open-vm-tools_10.1.5-5055683-2.dsc
0aec64f3e63cd90709d099973a7be52a04e38815 25072 open-vm-tools_10.1.5-5055683-2.debian.tar.xz
ce0583988d0aee002c4e5f44a3e98733afe56545 1999848 open-vm-tools-dbgsym_10.1.5-5055683-2_amd64.deb
8dd8d58a64eb4e38273c0ef833848d722a03cb61 197600 open-vm-tools-desktop-dbgsym_10.1.5-5055683-2_amd64.deb
1b3c5e8245f2096f500ca57c8992cb5466e15d8a 165458 open-vm-tools-desktop_10.1.5-5055683-2_amd64.deb
5a7ffa31419e6255988663c71de47a326f1f0244 498156 open-vm-tools-dev_10.1.5-5055683-2_amd64.deb
c309eb7bdbe8533dce8231b6f279ae64c3d348c6 417872 open-vm-tools-dkms_10.1.5-5055683-2_all.deb
d09d1c21ae88a3522dc69ad74726c48102e00e33 13717 open-vm-tools_10.1.5-5055683-2_amd64.buildinfo
5d370947eb915fed374a5eb145dac6a4db4ae3bc 560766 open-vm-tools_10.1.5-5055683-2_amd64.deb
Checksums-Sha256:
5f8e8a7f1441540f414818172139e1e07a2318088bf9c23f0741b063b45ebbe5 2502 open-vm-tools_10.1.5-5055683-2.dsc
7477e02cf2650d3268a3ca61530579764b04877b7321b8018a7a76395856d067 25072 open-vm-tools_10.1.5-5055683-2.debian.tar.xz
d98f786160a8b185f2f084836d19bdb34ad896cc21ded8c4d52c29bc453792d2 1999848 open-vm-tools-dbgsym_10.1.5-5055683-2_amd64.deb
c21465f3c0325e2e1c1a3acfc7a3aed932daa3a56c0a19975454d7f290d8e923 197600 open-vm-tools-desktop-dbgsym_10.1.5-5055683-2_amd64.deb
2b33785b6c21d07699fa58fdf242f5c37f74ea5d25e40fb3ed11b21f97a40ce1 165458 open-vm-tools-desktop_10.1.5-5055683-2_amd64.deb
6f9f0c8e9b9021361e5aa88d6ce3d2c66843ae481475b1da6d8f2c0689ac0771 498156 open-vm-tools-dev_10.1.5-5055683-2_amd64.deb
1eb9165abb96ad9bb1be56989c8d0c681e083b028b88ed2496d87bb8d659d68e 417872 open-vm-tools-dkms_10.1.5-5055683-2_all.deb
fd497986723c1ddf39dbaf4e14f8b916613b25c1949420294ae47f62178aab44 13717 open-vm-tools_10.1.5-5055683-2_amd64.buildinfo
d8525afacacbd66d21963b3b8e493a61ae74fd8d0b8567ce2d3e4872efa04170 560766 open-vm-tools_10.1.5-5055683-2_amd64.deb
Files:
281edcdbc0729614dd78728f08d3cd2c 2502 admin extra open-vm-tools_10.1.5-5055683-2.dsc
47457adbd5c8610f32abb2977fe63006 25072 admin extra open-vm-tools_10.1.5-5055683-2.debian.tar.xz
373b927e46184164dc89f6dba24c65f7 1999848 debug extra open-vm-tools-dbgsym_10.1.5-5055683-2_amd64.deb
0f1ae588bdb07d3a6a851e1d15e7e733 197600 debug extra open-vm-tools-desktop-dbgsym_10.1.5-5055683-2_amd64.deb
6716b22ddc4dbae4ef3bb23862ef1eca 165458 admin extra open-vm-tools-desktop_10.1.5-5055683-2_amd64.deb
38dd30b0aaebb3465e5464fee6f05ddb 498156 devel extra open-vm-tools-dev_10.1.5-5055683-2_amd64.deb
22cb5953cf216ff884277be69e0f60b7 417872 kernel extra open-vm-tools-dkms_10.1.5-5055683-2_all.deb
750fba04f0d3acf0358175238cc9b3c9 13717 admin extra open-vm-tools_10.1.5-5055683-2_amd64.buildinfo
e5265b049ddeedfa03c79bed31c6a37f 560766 admin extra open-vm-tools_10.1.5-5055683-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE7KHj8o4RJDLUhd2V6zYXGm/5Q18FAljTizEACgkQ6zYXGm/5
Q1/RQA//ZEPMW65g6DeMD9em8eZ87MXjgi9+3ak3VpkOo7r7m33aQ1oZztZL3qEE
xmn4NG6Q/powfZVlxzJje88V+LWELgym6/Fx4i9APdzYu1mlVkjBA4qQcsMd1ZCa
GXi8mJtgjpe1ubEu9I8whhI2LO5AUZ1Rj/5HCc6O+qLjeD2hM0C0p3xjve887HWf
o5QTLpf3oyIQcxeb5VIHKY+Std9knZCBEiHNMlm5bQ0SAMAW1DzIwRwWXpTuL5WS
ZEstTclD+lUuNyds/QTHzlxYCYYnaLKa6s7AqNtmOyq0/LqizLP1TzOLsMhDMq7T
Er+0KdO4yyqeaSHvCDtsLI1/ia5vxw7MNkjBto4yqyw9NNere9jr4HopYoKnf49g
e411A6XYxGpeuTHguf1BacpkFA3xpg5lPRXNZiaA3HHcUEj7XhGm99zFWnJ2pTEY
P5deyVLPNK5yLwzNGlKNjQ8tbsslGGJaL9YoRmOoA41AZZwXW5LWplgahBew9Uqf
ESx1+aE/Rjx9mODg+OnLlwo62e8aTCtnGqO9P2vVFWtMYKjTbQE+NAPI/trIIZQw
AIMW10bgEfulCmTSs1C85Du/g4Y62lOESS1+G1R7Q1JSGlCmI+NlIqWsEKRvNWhW
c3gFvKBM4ygqWNJzVR4LO13gVzUfXfmJZUXJHNVVKlwxe8OKZqA=
=PvAA
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 21 Apr 2017 07:30:25 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jan 10 03:20:20 2018;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.