upgrade of ssl breaks lots of things

Jacek Poplawski · 2006-07-23 14:24:46

We upgraded openssl on system which wasn't upgraded for few months. Pacman didn't complain at all.

Then... ssh stopped working, because it uses openssl-0.9.7, wget stopped working, and lots of other quite important things stopped working.

Why all these packages don't require openssl-0.9.7 package? Why it is so easy to disable whole server (ssh!) by upgrading single package?

Kern · 2006-07-23 14:34:58

i too thought dependencies were checked, and amended accordingly.

i had similar. it needed full pacman -Syu to solve.

and some packages failed (nessus) for same reason (0.97) problem was that packages hadnt migrated across the full range of servers yet. 0.98 v 0.97)

Snowman mentions "dependencies wont be upgraded" . different package, but same principle.
http://bbs.archlinux.org/viewtopic.php? … highlight=

BTW, If you haven't done a "pacman -Syu" lately, you'll probably want to do so (read the frontpage news) especially if you installed the latest openssl. Otherewise, your older packages won't work with the newer openssl.

Jacek Poplawski · 2006-07-23 14:57:12

But IMHO "pacman -Syu" should not be required, sometimes I just want to upgrade part of system, why pacman can't check dependences? Or maybe I should ask why packages are constructed this way? This is a huge problem when you are upgrading computer without physical access. Fortunately it wasn't very important computer (but I've lost access!).

Kern · 2006-07-23 16:17:07

i must admit i agree with you. i thought exactly the same
its a valid point regarding remote access.

tomk · 2006-07-23 19:25:25

File a feature request, guys, but in the meantime, my approach to issues like this has always been that Arch works best if it is kept completely up to date. If you choose to do partial upgrades, you'd need to be prepared for the consequences - specifically, if you choose to update one key package like openssl, without updating everything that depends on it, you're asking for trouble, as you have just discovered.

Jacek Poplawski · 2006-07-23 19:38:11

But "full update" is not a very good requirement for a stable Linux distribution. IMHO pacman should not allow administrator to break things so easily.
Feature request about what? Openssl, openssh or packages in general?

kth5 · 2006-07-23 20:00:30

there have been announcements regarding openssl, gnutls and db on the:
* homepage news
* forum
* mailing list

if you read one of these you didn't pay enough attention.
but true, if every PKGBUILD had

depends=('openssl>=0.9.8')

pacman would have complained if dependencies needed updates too.

btw, arch does not strive to be stable over being bleeding edge. if you need something that is stable without your help, arch probably isn't the right thing. i do run a few production servers on the internet and hundreds of embedded machines at our customer's places on arch or based on it. upgrading them was never a big issue if i was paying enough attention. in essence, arch can be very stable if you sacrifice a bit of your time.

tomk · 2006-07-23 21:15:53

Jacek Poplawski wrote:

Feature request about what? Openssl, openssh or packages in general?

Packages in general - something like
"If package foo is upgraded with pacman -S, pacman should check for new versions of all packages that depend on foo, and add any that it finds to the install target list."
You may want to tweak that to your taste - this is not a feature that I need, simply an answer to your question above.

Jacek Poplawski · 2006-07-23 22:20:01

Thanks tomk, but if this is not "Arch way" then I am not going to request for such feature. I use Arch for half year (on 1 server, 2 workstations and 1 laptop) and I couldn't find any better distribution, but problems like that one makes me sad

tomk · 2006-07-23 23:00:09

Well, it's up to you. It's only a request, and if it's something that would improve your Arch experience, then it's valid, IMO. The devs may or may not agree with you, but at least it's on record.

Is it the "Arch way"? Well, you could look at it like this - pacman is deservedly praised for dependency handling, and this would be an enhancement in that area. When I said I don't need it, I didn't mean that I don't think it's a good idea.

Jacek Poplawski · 2006-07-23 23:47:10

It would definitly improve my life, because I've lost ssh access to one of my workstations. And I am very far away from home now (California - Poland, timezones difference - 9 hours).

Gullible Jones · 2006-07-23 23:56:42

I'd say go for it... It's definitely a good idea.

Arch Linux

#1 2006-07-23 14:24:46

upgrade of ssl breaks lots of things

#2 2006-07-23 14:34:58

Re: upgrade of ssl breaks lots of things

#3 2006-07-23 14:57:12

Re: upgrade of ssl breaks lots of things

#4 2006-07-23 16:17:07

Re: upgrade of ssl breaks lots of things

#5 2006-07-23 19:25:25

Re: upgrade of ssl breaks lots of things

#6 2006-07-23 19:38:11

Re: upgrade of ssl breaks lots of things

#7 2006-07-23 20:00:30

Re: upgrade of ssl breaks lots of things

#8 2006-07-23 21:15:53

Re: upgrade of ssl breaks lots of things

#9 2006-07-23 22:20:01

Re: upgrade of ssl breaks lots of things

#10 2006-07-23 23:00:09

Re: upgrade of ssl breaks lots of things

#11 2006-07-23 23:47:10

Re: upgrade of ssl breaks lots of things

#12 2006-07-23 23:56:42

Re: upgrade of ssl breaks lots of things

Board footer