Bug 1613852 - Remove compat-openssl10-devel from nodejs-devel subpackage
Summary: Remove compat-openssl10-devel from nodejs-devel subpackage
Keywords:
Status: CLOSED CANTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: nodejs
Version: 28
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: NodeJS Packaging SIG
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-08-08 12:17 UTC by Robert Marcano
Modified: 2018-08-14 11:34 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-08-11 08:20:30 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Robert Marcano 2018-08-08 12:17:56 UTC 
Updating to nodejs 8.11.3-2.fc28 is not possible if openssl-devel is already installed with error:

  package compat-openssl10-devel-1:1.0.2o-1.fc28.x86_64 conflicts with openssl-devel provided by openssl-devel-1:1.1.0h-3.fc28.x86_64

This is caused by the revert to OpenSSL 1.0 from bug 1607112.

This break any chance to do local development modules that don't have to link with OpenSSL too if the users need openssl-devel 1.1 for another projects.

Probably disabling compat-openssl10-devel temporally until OpenSSL 1.1 is used is the best action. The problem that could happen is people building NodeJS modules with wrong OpenSSL (if those use OpenSSL).

Currently the update path of NodeJS is broken if the user has openssl-devel installed, they may notice it if they use dnf, but if they use GUI tools, like GNOME Software for example, they may not notice they are left with and old (probably vulnerable) NodeJS
Comment 1 Stephen Gallagher 2018-08-11 08:20:30 UTC 
The nodejs package does not depend on compat-openssl10-devel, it depends on compat-openssl10. However, the nodejs-devel package *does* actually require compat-openssl10 because it is useless without it. (If you wanted to build a native binary NPM against this Node.js version, you must have the same version of openssl-devel available in your environment).

This is behaving exactly as it should, and if you don't need nodejs-devel, you should just remove it and the upgrade will work fine.
Comment 2 Robert Marcano 2018-08-11 18:04:55 UTC 
Sorry, but I don't need compat-openssl10-devel to build a node native module like node-sass, I only need node-devel. node-sass doesn't link with openssl, Why would I need compat-openssl10-devel installed?.

On the other hand I need openssl-devel in order to link other things not related to node development, and I don't want to use old OpenSSL releases.

I think *-devel packages on Fedora has a tendency to pull a lot of *-devel dependencies that aren't always needed.

Can you reconsider this?
Comment 3 Zuzana Svetlikova 2018-08-13 19:55:50 UTC 
AFAIK nodejs v8.x should be fully compatible with both versions of OpenSSL.
Comment 4 Stephen Gallagher 2018-08-14 11:06:10 UTC 
(In reply to Zuzana Svetlikova from comment #3)
> AFAIK nodejs v8.x should be fully compatible with both versions of OpenSSL.

Upstream claims that it is fully compatible, but it doesn't work. See https://bugzilla.redhat.com/show_bug.cgi?id=1607112 for an example.
Comment 5 Zuzana Svetlikova 2018-08-14 11:34:54 UTC 
Looks more like a workaround for me and something that should be fixed upstream.
Note You need to log in before you can comment on or make changes to this bug.