Bug 1613852

Summary: Remove compat-openssl10-devel from nodejs-devel subpackage
Product: [Fedora] Fedora Reporter: Robert Marcano <robert>
Component: nodejsAssignee: NodeJS Packaging SIG <nodejs-sig>
Status: CLOSED CANTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 28CC: athmanem, jamielinux, mrunge, nodejs-sig, sgallagh, tchollingsworth, thrcka, zsvetlik
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-08-11 08:20:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Robert Marcano 2018-08-08 12:17:56 UTC 
Updating to nodejs 8.11.3-2.fc28 is not possible if openssl-devel is already installed with error:

  package compat-openssl10-devel-1:1.0.2o-1.fc28.x86_64 conflicts with openssl-devel provided by openssl-devel-1:1.1.0h-3.fc28.x86_64

This is caused by the revert to OpenSSL 1.0 from bug 1607112.

This break any chance to do local development modules that don't have to link with OpenSSL too if the users need openssl-devel 1.1 for another projects.

Probably disabling compat-openssl10-devel temporally until OpenSSL 1.1 is used is the best action. The problem that could happen is people building NodeJS modules with wrong OpenSSL (if those use OpenSSL).

Currently the update path of NodeJS is broken if the user has openssl-devel installed, they may notice it if they use dnf, but if they use GUI tools, like GNOME Software for example, they may not notice they are left with and old (probably vulnerable) NodeJS
Comment 1 Stephen Gallagher 2018-08-11 08:20:30 UTC 
The nodejs package does not depend on compat-openssl10-devel, it depends on compat-openssl10. However, the nodejs-devel package *does* actually require compat-openssl10 because it is useless without it. (If you wanted to build a native binary NPM against this Node.js version, you must have the same version of openssl-devel available in your environment).

This is behaving exactly as it should, and if you don't need nodejs-devel, you should just remove it and the upgrade will work fine.
Comment 2 Robert Marcano 2018-08-11 18:04:55 UTC 
Sorry, but I don't need compat-openssl10-devel to build a node native module like node-sass, I only need node-devel. node-sass doesn't link with openssl, Why would I need compat-openssl10-devel installed?.

On the other hand I need openssl-devel in order to link other things not related to node development, and I don't want to use old OpenSSL releases.

I think *-devel packages on Fedora has a tendency to pull a lot of *-devel dependencies that aren't always needed.

Can you reconsider this?
Comment 3 Zuzana Svetlikova 2018-08-13 19:55:50 UTC 
AFAIK nodejs v8.x should be fully compatible with both versions of OpenSSL.
Comment 4 Stephen Gallagher 2018-08-14 11:06:10 UTC 
(In reply to Zuzana Svetlikova from comment #3)
> AFAIK nodejs v8.x should be fully compatible with both versions of OpenSSL.

Upstream claims that it is fully compatible, but it doesn't work. See https://bugzilla.redhat.com/show_bug.cgi?id=1607112 for an example.
Comment 5 Zuzana Svetlikova 2018-08-14 11:34:54 UTC 
Looks more like a workaround for me and something that should be fixed upstream.