1625440 – openssl-devel conflicts with compat-openssl10-devel

Bug 1625440 - openssl-devel conflicts with compat-openssl10-devel

Summary: openssl-devel conflicts with compat-openssl10-devel

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	openssl
Sub Component:
Version:	27
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Tomas Mraz
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-09-04 23:58 UTC by Przemek Klosowski
Modified:	2018-09-07 07:04 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-09-05 08:11:07 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Przemek Klosowski 2018-09-04 23:58:33 UTC

Description of problem:
This package seems to conflict with compat-openssl10-devel which is required by a large number of packages.

Version-Release number of selected component (if applicable):
openssl-devel                    x86_64           1:1.1.0h-3.fc27  

How reproducible: every time


Steps to Reproduce:
1. dnf update

Actual results:
Problem 2: package nodejs-devel-1:8.11.4-1.fc27.x86_64 requires compat-openssl10-devel(x86-64), but none of the providers can be installed
  - package compat-openssl10-devel-1:1.0.2o-1.fc27.x86_64 conflicts with openssl-devel provided by openssl-devel-1:1.1.0h-3.fc27.x86_64


Expected results: successful update without conflicts

Comment 1 Przemek Klosowski 2018-09-05 00:01:24 UTC

This can be worked around by allowing deletion of openssl-devel:
dnf update --allowerasing --best

openssl-devel doesn't seem to be missed by any other packages, and the update concludes succesfully

Comment 2 Tomas Mraz 2018-09-05 08:11:07 UTC

This is on purpose and will not be changed. Everything should move to openssl-1.1.x sooner or later.

Comment 3 Przemek Klosowski 2018-09-05 15:48:42 UTC

OK, but the essence of this bug is that openssl-1.1 blocks the upgrades for large number of packages that still depend on openssl-1.0, and the only way forward is to delete openssl-1.1 from the system, which seems counterproductive to our stated goal.

Up to now it was possible to have both openssl (1.1) and compat-openssl10 co-installed. Is the newly emerged incompatibility inevitable for technical reasons, or a packaging artifact that could be reverted?

The current situation where the upgrade is blocked is not very good. Teaching people to blindly use --allowerasing is a bad idea: in the past packaging errors led to rampant conflict erasing and unbootable systems: https://bugzilla.redhat.com/show_bug.cgi?id=1601724

Comment 4 Tomas Mraz 2018-09-05 16:00:25 UTC

оpenssl-devel and compat-openssl10-devel packages always conflicted.

openssl-libs and compat-openssl10 do not conflict - if they do for some reason for you, it is a bug. But I do not see such conflict here.

Comment 5 Przemek Klosowski 2018-09-05 18:05:36 UTC

I had both -devel packages installed previously and they apparently started to conflict very recently. The non-devel packages indeed do not conflict, as you say.

Normally I have -devel packages installed either because they were pulled in as dependencies, or because I was compiling something else that required their .h files or something like that.
I don't remember which one was the case here, but please note that 1040 packages require openssl-devel and 265 packages require compat-openssl10-devel as reported by "dnf repoquery --whatrequires xxxxxx". I believe that most of those dependencies are specified as 'one or another' which is why this situation can be resolved by allowing erase of openssl-devel.

Comment 6 Tomas Mraz 2018-09-06 06:27:00 UTC

I am sorry, but you must misremember this. The compat-openssl10-devel and openssl-devel packages always explicitly conflicted.
See this commit:

https://src.fedoraproject.org/rpms/compat-openssl10/c/b1a99fb4d28b966757258b18262746573c3d55cd?branch=master

This commit introduced the compat-openssl10-devel package and as you can see there is Conflicts: openssl-devel already.

Basically non-conflicting openssl-devel and compat-openssl10-devel packages would require changes in build process of applications linking to one of these and it would encourage situation where both openssl libraries are loaded into a single process which is in general unsupported although it works OK in many cases. But there are cases where this is completely broken.

Comment 7 Przemek Klosowski 2018-09-06 18:58:31 UTC

Back in July I had openssl-devel for sure
Jul 08 17:44:31 ... upgrade[1260]: [1704/4637] (31%) installing openssl-devel-1.0.1k-10.fc22...
As you say, I almost certainly did not have compat-openssl10-devel then.

I think what happened is that the openssl devel requires specify both openssl-devel and compat-openssl10-devel, and in the past they were satisfied by the openssl-devel package; e.g. 

dnf repoquery  --deplist libssh2-devel-1.8.0-5.fc27.x86_64

dependency: pkgconfig(libssl)
   provider: compat-openssl10-devel-1:1.0.2o-1.fc27.i686
   provider: compat-openssl10-devel-1:1.0.2o-1.fc27.x86_64
   provider: openssl-devel-1:1.1.0h-3.fc27.i686
   provider: openssl-devel-1:1.1.0h-3.fc27.x86_64

Now, maybe recently some packages started requiring specifically compat-openssl10-devel, e.g. 

dnf repoquery  --deplist nodejs-devel

dependency: compat-openssl10-devel(x86-64)
   provider: compat-openssl10-devel-1:1.0.2o-1.fc27.x86_64

causing the conflict.

Comment 8 Tomas Mraz 2018-09-07 07:04:51 UTC

Ah yes, I was talking about time since upgrade of openssl to 1.1.0 version which happened quite long ago in Fedora 26.

I am sorry, you will have to cope somehow with that. Either remove openssl-devel prior to upgrading or use the allowerasing option.

Note You need to log in before you can comment on or make changes to this bug.