You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@subversion.apache.org by "Cooke, Mark" <ma...@siemens-healthineers.com> on 2017/11/21 15:11:51 UTC

Recommended apr / openssl etc. library version for svn ?

Hello,

Is there any support for building svn with OpenSSL 1.1.0 yet?  I did a search in the archives and only came up with Stefan's MaxSVN build which has so far excluded the update from 1.0.2 [1] but that was back in February?

[1] https://svn.haxx.se/dev/archive-2017-02/0145.shtml

I managed to build httpd with apr 1.6.2 and OpenSSL 1.1.0g (using `cvtdsp.pl -ossl11`) but the subversion build has 113 errors and I am wondering if this is worth persevering with?

If not, is the MaxSVN dependency list about the best recommendation?

*Apache httpd 2.4.23 (.29)
*Apache Serf(tm) 1.3.9
*APR 1.5.2 (1.6.3)
*APR-util 1.5.4 (1.6.1)
*APR iconv 1.2.1 (1.2.2)
*Expat 2.2.0 (2.2.5)
*OpenSSL 1.0.2j (.2m)
*PCRE 8.39 (8.41)
*SQLite 3.15.1 (amalgamation) (3.21)
*ZLib 1.2.8 (1.2.11)

...subject to security updates of course (brackets show latest version at time of writing)!

Thanks,

~ Mark C

Re: Recommended apr / openssl etc. library version for svn ?

Posted by Branko Čibej <br...@apache.org>.

On 22.11.2017 07:28, Cooke, Mark wrote:
>> -----Original Message-----
>> From: Branko Čibej [mailto:brane@apache.org]
>> Sent: 21 November 2017 21:01
>>
>> On 21.11.2017 21:43, Eric Johnson wrote:
>>> I don't know if this helps, but I run Subversion on a Gentoo system,
>>> which is constantly upgrading to newer versions of software. Gentoo
>>> does a really good job of only marking stuff stable when it is
>>> actually stable. So if Gentoo doesn't have openssl 1.1 in use, there's
>>> a really good reason.
>>>
>>> This is what is currently "stable" on my Gentoo system running
>>> Subversion (which is a few weeks old - minor updates might be available):
>> Not-so-minor updates are, in fact available. :)
>>
>>> *Apache httpd 2.4.27
>>> *Apache Serf(tm) 1.3.8
>> Should be 1.3.9.
>>
>>> *APR 1.5.2
>> Should be 1.6.3.
>>
>>> *APR-util 1.5.4
>> Should be 1.6.1.
>>
>>> *APR iconv (not installed on my machine)
>> Not needed in Unix-like environments that have libiconv generally available. Not needed on Windows
>> because we use the native character encoding conversion functions (since ... I don't recall when, but
>> it's been quite a while).
>>
>>> *Expat 2.2.1
>>> *OpenSSL 1.0.2l
>>> *PCRE 8.41
>> I have _no_ idea how PCRE got on this list. Subversion itself does not use it, nor, as far as I'm
>> aware, do Serf, APR or APR-Util.
> I imagine that APR-iconv and PCRE are in the MaxSVN list (and mine) due to building apache httpd as well? 

That's possible; HTTPD does use PCRE and possibly APR-iconv (on Windows).

>>> *SQLite 3.19.3
>>> *ZLib 1.2.11
>>>
>>> Specifically, in the case of openssl, I found this bug tracking all
>>> the compatibility problems: https://bugs.gentoo.org/592438 . Seems
>>> like you probably want to stay away from it.
>> Serf trunk can be compiled with 1.1, but I'm not sure how far along the 1.3.x release branch is.
>> Whilst OpenSSL 1.1 has made some really unfortunate decisions that break API compatibility with the
>> 1.0.x line, there are also a number of serious bugs fixed in it ...
>>
>> -- Brane
> ...so is svn still waiting on support in other packages?

Subversion does not use OpenSSL directly. It uses Serf, which in turn
uses OpenSSL to support HTTPS.

>   Bottom line is that I should still use the 1.0.2 line for now?

Yes.

-- Brane

RE: Recommended apr / openssl etc. library version for svn ?

Posted by "Cooke, Mark" <ma...@siemens-healthineers.com>.

> -----Original Message-----
> From: Branko Čibej [mailto:brane@apache.org]
> Sent: 21 November 2017 21:01
> 
> On 21.11.2017 21:43, Eric Johnson wrote:
> > I don't know if this helps, but I run Subversion on a Gentoo system,
> > which is constantly upgrading to newer versions of software. Gentoo
> > does a really good job of only marking stuff stable when it is
> > actually stable. So if Gentoo doesn't have openssl 1.1 in use, there's
> > a really good reason.
> >
> > This is what is currently "stable" on my Gentoo system running
> > Subversion (which is a few weeks old - minor updates might be available):
> 
> Not-so-minor updates are, in fact available. :)
> 
> > *Apache httpd 2.4.27
> > *Apache Serf(tm) 1.3.8
> 
> Should be 1.3.9.
> 
> > *APR 1.5.2
> 
> Should be 1.6.3.
> 
> > *APR-util 1.5.4
> 
> Should be 1.6.1.
> 
> > *APR iconv (not installed on my machine)
> 
> Not needed in Unix-like environments that have libiconv generally available. Not needed on Windows
> because we use the native character encoding conversion functions (since ... I don't recall when, but
> it's been quite a while).
> 
> > *Expat 2.2.1
> > *OpenSSL 1.0.2l
> > *PCRE 8.41
> 
> I have _no_ idea how PCRE got on this list. Subversion itself does not use it, nor, as far as I'm
> aware, do Serf, APR or APR-Util.

I imagine that APR-iconv and PCRE are in the MaxSVN list (and mine) due to building apache httpd as well? 

> > *SQLite 3.19.3
> > *ZLib 1.2.11
> >
> > Specifically, in the case of openssl, I found this bug tracking all
> > the compatibility problems: https://bugs.gentoo.org/592438 . Seems
> > like you probably want to stay away from it.
> 
> Serf trunk can be compiled with 1.1, but I'm not sure how far along the 1.3.x release branch is.
> Whilst OpenSSL 1.1 has made some really unfortunate decisions that break API compatibility with the
> 1.0.x line, there are also a number of serious bugs fixed in it ...
> 
> -- Brane

...so is svn still waiting on support in other packages?  Bottom line is that I should still use the 1.0.2 line for now?

Thanks to Brane and Eric.

~ Mark C

Re: Recommended apr / openssl etc. library version for svn ?

Posted by Branko Čibej <br...@apache.org>.

On 21.11.2017 21:43, Eric Johnson wrote:
> I don't know if this helps, but I run Subversion on a Gentoo system,
> which is constantly upgrading to newer versions of software. Gentoo
> does a really good job of only marking stuff stable when it is
> actually stable. So if Gentoo doesn't have openssl 1.1 in use, there's
> a really good reason.
>
> This is what is currently "stable" on my Gentoo system running
> Subversion (which is a few weeks old - minor updates might be available):

Not-so-minor updates are, in fact available. :)

> *Apache httpd 2.4.27
> *Apache Serf(tm) 1.3.8

Should be 1.3.9.

> *APR 1.5.2

Should be 1.6.3.

> *APR-util 1.5.4

Should be 1.6.1.

> *APR iconv (not installed on my machine)

Not needed in Unix-like environments that have libiconv generally
available. Not needed on Windows because we use the native character
encoding conversion functions (since ... I don't recall when, but it's
been quite a while).

> *Expat 2.2.1
> *OpenSSL 1.0.2l
> *PCRE 8.41

I have _no_ idea how PCRE got on this list. Subversion itself does not
use it, nor, as far as I'm aware, do Serf, APR or APR-Util.

> *SQLite 3.19.3
> *ZLib 1.2.11
>
> Specifically, in the case of openssl, I found this bug tracking all
> the compatibility problems: https://bugs.gentoo.org/592438 . Seems
> like you probably want to stay away from it.

Serf trunk can be compiled with 1.1, but I'm not sure how far along the
1.3.x release branch is. Whilst OpenSSL 1.1 has made some really
unfortunate decisions that break API compatibility with the 1.0.x line,
there are also a number of serious bugs fixed in it ...

-- Brane

Re: Recommended apr / openssl etc. library version for svn ?

Posted by Eric Johnson <er...@tibco.com>.

I don't know if this helps, but I run Subversion on a Gentoo system, which
is constantly upgrading to newer versions of software. Gentoo does a really
good job of only marking stuff stable when it is actually stable. So if
Gentoo doesn't have openssl 1.1 in use, there's a really good reason.

This is what is currently "stable" on my Gentoo system running Subversion
(which is a few weeks old - minor updates might be available):
*Apache httpd 2.4.27
*Apache Serf(tm) 1.3.8
*APR 1.5.2
*APR-util 1.5.4
*APR iconv (not installed on my machine)
*Expat 2.2.1
*OpenSSL 1.0.2l
*PCRE 8.41
*SQLite 3.19.3
*ZLib 1.2.11

Specifically, in the case of openssl, I found this bug tracking all the
compatibility problems: https://bugs.gentoo.org/592438 . Seems like you
probably want to stay away from it.

Eric.

On Tue, Nov 21, 2017 at 7:11 AM, Cooke, Mark <
mark.cooke@siemens-healthineers.com> wrote:

> Hello,
>
> Is there any support for building svn with OpenSSL 1.1.0 yet?  I did a
> search in the archives and only came up with Stefan's MaxSVN build which
> has so far excluded the update from 1.0.2 [1] but that was back in February?
>
> [1] https://svn.haxx.se/dev/archive-2017-02/0145.shtml
>
> I managed to build httpd with apr 1.6.2 and OpenSSL 1.1.0g (using `
> cvtdsp.pl -ossl11`) but the subversion build has 113 errors and I am
> wondering if this is worth persevering with?
>
> If not, is the MaxSVN dependency list about the best recommendation?
>
> *Apache httpd 2.4.23 (.29)
> *Apache Serf(tm) 1.3.9
> *APR 1.5.2 (1.6.3)
> *APR-util 1.5.4 (1.6.1)
> *APR iconv 1.2.1 (1.2.2)
> *Expat 2.2.0 (2.2.5)
> *OpenSSL 1.0.2j (.2m)
> *PCRE 8.39 (8.41)
> *SQLite 3.15.1 (amalgamation) (3.21)
> *ZLib 1.2.8 (1.2.11)
>
> ...subject to security updates of course (brackets show latest version at
> time of writing)!
>
> Thanks,
>
> ~ Mark C
>
>