Re: 0.9.8 API/ABI compatibility with 0.9.7 ?

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: 0.9.8 API/ABI compatibility with 0.9.7 ?

Eduardo Pérez
On 2005-05-14 15:27:26 +0000, Eduardo Pérez wrote:
> I was wondering if openssl-0.9.8 is going to be API/ABI compatible
> with the current stable branch of openssl-0.9.7
> I think keeping API/ABI compatible is a good idea and makes programmer
> and users life easier.
> Anyway, if you are not going to keep API/ABI compatibility in
> openssl-0.9.8 with 0.9.7 I'd like to hear the reasoning behind that.

I made a diff of the symbols in libssl and libcrypto in openssl 0.9.7
and 0.9.8 and found that libssl didn't remove any symbols from the
previous version and therefore may be backwards compatible if none of
the older symbols changed ABI/API

In libcrypto I saw that in the newer version there are missing symbols
so it may not be API/ABI compatible if that symbols were supposed to be
public and used by applications.

It seems that openssl doesn't want to keep API/ABI compatibility
between minor versions, ignoring the tremendous help that it brings to
end users and distributions packagers, even knowing that compatibility
could be achieved at no cost.

Is this true?

openssl_libssl_0.9.7_0.9.8_symbols.diff (3K) Download Attachment
openssl_libcrypto_0.9.7_0.9.8_symbols.diff (27K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: 0.9.8 API/ABI compatibility with 0.9.7 ?

Mike Frysinger
On Thursday 09 June 2005 10:28 am, Eduardo Pérez wrote:

> On 2005-05-14 15:27:26 +0000, Eduardo Pérez wrote:
> > I was wondering if openssl-0.9.8 is going to be API/ABI compatible
> > with the current stable branch of openssl-0.9.7
> > I think keeping API/ABI compatible is a good idea and makes programmer
> > and users life easier.
> > Anyway, if you are not going to keep API/ABI compatibility in
> > openssl-0.9.8 with 0.9.7 I'd like to hear the reasoning behind that.
>
> I made a diff of the symbols in libssl and libcrypto in openssl 0.9.7
> and 0.9.8 and found that libssl didn't remove any symbols from the
> previous version and therefore may be backwards compatible if none of
> the older symbols changed ABI/API

symbol name means nothing if it expects the arguments passed to it are of
different sizes

see the fun people had in upgrading from 0.9.7e to 0.9.7[fg] on x86_64 linux
-mike
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: 0.9.8 API/ABI compatibility with 0.9.7 ?

Eduardo Pérez
On 2005-06-09 11:24:22 -0400, Mike Frysinger wrote:

> On Thursday 09 June 2005 10:28 am, Eduardo Pérez wrote:
> > On 2005-05-14 15:27:26 +0000, Eduardo Pérez wrote:
> > > I was wondering if openssl-0.9.8 is going to be API/ABI compatible
> > > with the current stable branch of openssl-0.9.7
> > > I think keeping API/ABI compatible is a good idea and makes programmer
> > > and users life easier.
> > > Anyway, if you are not going to keep API/ABI compatibility in
> > > openssl-0.9.8 with 0.9.7 I'd like to hear the reasoning behind that.
> >
> > I made a diff of the symbols in libssl and libcrypto in openssl 0.9.7
> > and 0.9.8 and found that libssl didn't remove any symbols from the
> > previous version and therefore may be backwards compatible if none of
> > the older symbols changed ABI/API
>
> symbol name means nothing if it expects the arguments passed to it are of
> different sizes

I know.

> see the fun people had in upgrading from 0.9.7e to 0.9.7[fg] on x86_64 linux

Wow!!! I didn't know there were breakage even there.
But, that wasn't made on purpose, was it?
Could you show me any reference to that? Why did that happen?
Isn't there any testing made prior to release?

Do you know if there are more people interested in keeping API/ABI
compatible?
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: 0.9.8 API/ABI compatibility with 0.9.7 ?

Richard Levitte - VMS Whacker
In reply to this post by Eduardo Pérez
In message <[hidden email]> on Thu, 9 Jun 2005 14:28:27 +0000, Eduardo Pérez <[hidden email]> said:

eperez> On 2005-05-14 15:27:26 +0000, Eduardo Pérez wrote:
eperez> > I was wondering if openssl-0.9.8 is going to be API/ABI
eperez> > compatible with the current stable branch of openssl-0.9.7
eperez> > I think keeping API/ABI compatible is a good idea and makes
eperez> > programmer and users life easier.
eperez> > Anyway, if you are not going to keep API/ABI compatibility
eperez> > in openssl-0.9.8 with 0.9.7 I'd like to hear the reasoning
eperez> > behind that.

0.9.8 and 0.9.7 aren't compatible in certain areas.  The biggest
changes have nothing to do with function and variable symbols.  If you
want to look at the real incompatibilities, you need to compare the
different structures.  I'll get into that below.

eperez> In libcrypto I saw that in the newer version there are missing
eperez> symbols so it may not be API/ABI compatible if that symbols
eperez> were supposed to be public and used by applications.

Those I saw in your diff were ECC symbols.  ECC is still quite
experimental in 0.9.7 and has evolved quite a lot in 0.9.8.

eperez> It seems that openssl doesn't want to keep API/ABI
eperez> compatibility between minor versions, ignoring the tremendous
eperez> help that it brings to end users and distributions packagers,
eperez> even knowing that compatibility could be achieved at no cost.

I think you're making quite a harsch conclusion.  One of the bigger
problems with the foundation of OpenSSL is the open nature of almost
all structures.  To keep API/ABI compatibility, those would have to be
frozen, but that would effectively stop all development that includes
new methods with extended data, or certain security fixes, or...
unless you want *really ugly* and *really insecure* hacks in OpenSSL.
Trust me.

For a comparison, I suggest you compare the RSA structures in
crypto/rsa/rsa.h between 0.9.7 and 0.9.8.  I suggest you compare
simple little constants like EVP_MAX_KEY_LENGTH and EVP_MAX_BLOCK_LENGTH
between 0.9.6 and 0.9.7.

The biggest change that's needed in OpenSSL is to hide all the
structures and all constants and have them available through functions
(creator, destructors and information functions).  So speaking of
incompatibilites, we've really kept it low compared to what needs to
be done and what could be done.

Our version numbering is admitedly weird.  Basically, we've treated
'0.9.' as a prefix to signal that "this isn't a 1.0 yet, and drastic
changes can be expected", and effectively trated the next digit as a
classic major version.  This is reflected in the soname we give the
shared libraries.  We probably should do some drastic changes in our
version numbering (which is quite a lesson to me personally.  I've
been reluctant to make a move to 1.0 because OpenSSL hasn't felt ready
for that).

Cheers,
Richard

-----
Please consider sponsoring my work on free software.
See http://www.free.lp.se/sponsoring.html for details.

--
Richard Levitte                         [hidden email]
                                        http://richard.levitte.org/

"When I became a man I put away childish things, including
 the fear of childishness and the desire to be very grown up."
                                                -- C.S. Lewis
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: 0.9.8 API/ABI compatibility with 0.9.7 ?

Mike Frysinger
In reply to this post by Eduardo Pérez
On Thursday 09 June 2005 12:37 pm, Eduardo Pérez wrote:
> > see the fun people had in upgrading from 0.9.7e to 0.9.7[fg] on x86_64
> > linux
>
> Wow!!! I didn't know there were breakage even there.
> But, that wasn't made on purpose, was it?

no, i'm pretty sure it was just a simple mistake that is fixed in the current
0.9.7 branch ... then again i really havent researched beyond fixing it in
Gentoo ...

> Do you know if there are more people interested in keeping API/ABI
> compatible?

you're overlooking the fact that the soname is set to the full version of the
library ... when you go to link with -lcrypto, the libname
'libcrypto.so.0.9.7' is recorded in the NEEDED section of the elf instead of
'libcrypto.so.0' ... so unless you have 0.9.8 install its library as
'libcrypto.so.0.9.8' (which it wont), applications are going to break
-mike
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: 0.9.8 API/ABI compatibility with 0.9.7 ?

Eduardo Pérez
In reply to this post by Richard Levitte - VMS Whacker
On 2005-06-09 19:54:13 +0200, Richard Levitte - VMS Whacker wrote:

> In message <[hidden email]> on Thu, 9 Jun 2005 14:28:27 +0000, Eduardo Pérez <[hidden email]> said:
> eperez> On 2005-05-14 15:27:26 +0000, Eduardo Pérez wrote:
> eperez> > I was wondering if openssl-0.9.8 is going to be API/ABI
> eperez> > compatible with the current stable branch of openssl-0.9.7
> eperez> > I think keeping API/ABI compatible is a good idea and makes
> eperez> > programmer and users life easier.
> eperez> > Anyway, if you are not going to keep API/ABI compatibility
> eperez> > in openssl-0.9.8 with 0.9.7 I'd like to hear the reasoning
> eperez> > behind that.
>
> 0.9.8 and 0.9.7 aren't compatible in certain areas.  The biggest
> changes have nothing to do with function and variable symbols.  If you
> want to look at the real incompatibilities, you need to compare the
> different structures.  I'll get into that below.

That's other problem.
Internal structures shouldn't be exposed through a stable API.

> eperez> In libcrypto I saw that in the newer version there are missing
> eperez> symbols so it may not be API/ABI compatible if that symbols
> eperez> were supposed to be public and used by applications.
>
> Those I saw in your diff were ECC symbols.  ECC is still quite
> experimental in 0.9.7 and has evolved quite a lot in 0.9.8.

So, if there weren't any external application users, it may not cause
problems to anyone, may it?

> eperez> It seems that openssl doesn't want to keep API/ABI
> eperez> compatibility between minor versions, ignoring the tremendous
> eperez> help that it brings to end users and distributions packagers,
> eperez> even knowing that compatibility could be achieved at no cost.
>
> I think you're making quite a harsch conclusion.  One of the bigger
> problems with the foundation of OpenSSL is the open nature of almost
> all structures.  To keep API/ABI compatibility, those would have to be
> frozen, but that would effectively stop all development that includes
> new methods with extended data, or certain security fixes, or...
> unless you want *really ugly* and *really insecure* hacks in OpenSSL.
> Trust me.

That doesn't need to be true. The http://www.gtk.org/ people keep
API/ABI compatibility from 2.0 (they are now at 2.6) and they add new
methods and extended data every release.

> For a comparison, I suggest you compare the RSA structures in
> crypto/rsa/rsa.h between 0.9.7 and 0.9.8.

If those RSA structures where only accessible through public methods
there wouldn't be any problem with any change on them.

> I suggest you compare
> simple little constants like EVP_MAX_KEY_LENGTH and EVP_MAX_BLOCK_LENGTH
> between 0.9.6 and 0.9.7.

Sure, to keep API/ABI compatibility those constants shouldn't change
their value between compatible releases.

> The biggest change that's needed in OpenSSL is to hide all the
> structures and all constants and have them available through functions
> (creator, destructors and information functions).  So speaking of
> incompatibilities, we've really kept it low compared to what needs to
> be done and what could be done.

So is there any plans to make internal structures only accessible from
public methods?

> Our version numbering is admittedly weird.  Basically, we've treated
> '0.9.' as a prefix to signal that "this isn't a 1.0 yet, and drastic
> changes can be expected", and effectively trated the next digit as a
> classic major version.  This is reflected in the soname we give the
> shared libraries.  We probably should do some drastic changes in our
> version numbering (which is quite a lesson to me personally.  I've
> been reluctant to make a move to 1.0 because OpenSSL hasn't felt ready
> for that).

When do you feel OpenSSL will be ready for a 1.0 release and API/ABI
stabilization?
Is there any roadmap of the work that needs to be done?
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: 0.9.8 API/ABI compatibility with 0.9.7 ?

Eduardo Pérez
In reply to this post by Mike Frysinger
On 2005-06-09 13:59:22 -0400, Mike Frysinger wrote:
> On Thursday 09 June 2005 12:37 pm, Eduardo Pérez wrote:
> > Do you know if there are more people interested in keeping API/ABI
> > compatible?
>
> you're overlooking the fact that the soname is set to the full version of the
> library ... when you go to link with -lcrypto, the libname
> 'libcrypto.so.0.9.7' is recorded in the NEEDED section of the elf instead of
> 'libcrypto.so.0' ... so unless you have 0.9.8 install its library as
> 'libcrypto.so.0.9.8' (which it wont), applications are going to break

The quick hack to get it working is just to keep libcrypto.so.0.9.7 for
the new 0.9.8 code, as easy as that. It may create some confusion for
programmers but users don't see that files.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: 0.9.8 API/ABI compatibility with 0.9.7 ?

Ben Laurie
In reply to this post by Eduardo Pérez
Eduardo Pérez wrote:
> On 2005-06-09 19:54:13 +0200, Richard Levitte - VMS Whacker wrote:

<much whining snipped>

>>For a comparison, I suggest you compare the RSA structures in
>>crypto/rsa/rsa.h between 0.9.7 and 0.9.8.
>
> If those RSA structures where only accessible through public methods
> there wouldn't be any problem with any change on them.

Duh. We know this, of course. The problem is that the code we inherited
did not have them hidden.

So, when we hide everything that should be hidden, we'll break all sorts
of stuff.

OTOH, we really ought to bite the bullet and do that.

<more whining snipped>

Cheers,

Ben.

--
 >>>ApacheCon Europe<<<                   http://www.apachecon.com/

http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]