[Cryptography] Apple and OpenSSL
Theodore Ts'o
tytso at mit.edu
Sun Apr 20 20:01:27 EDT 2014
On Sun, Apr 20, 2014 at 11:23:03PM +0100, Ben Laurie wrote:
> > The problem is, as I said above, that OpenSSL does not have a
> > stable ABI
>
> OpenSSL does have a stable ABI.
I remember participating in discussions with OpenSSL in the context of
the Linux Standard Base (LSB) which is very much about stable ABI's.
At least at one point, the commitment that the OpenSSL folks were
willing to make is that the ABI would be stable within a micro release
level. That is, 0.9.N and 1.0.N would remain ABI stable so long as N
didn't increment.
But historically, every two years or so, N would bump, and that point,
you would need to bump the major SOVERSION of the shared library,
because there would be ABI breakage.
Many other packages try much harder to only add new functions, but to
not break any existing functions once they are added to the shared
library. However, this is much more difficult if the library has
exposed many structures as part of the ABI, such that it is incredibly
difficult to change the data structures without breaking the ABI.
If you design your interfaces to maximize ABI stability (and you don't
use C++, because every single time you add even a private variable to
the base class, it breaks ABI compatibility for all of the
subclasses), it is possible to make this kind of ABI stability for far
longer than "we'll break the world every year or two".
So when you say "stable ABI", it's important that you set expectations
for what you mean by that. Some people are willing to make much more
stringent promises of ABI stability than others. I've run Linux
binaries dating back from the late nineties on modern kernels without
a problem. That's a much different level of ABI stability than what
OpenSSL has promised or has delivered in the past. (Although to be
fair, they have a legacy code base and a legacy set of interfaces that
make life very hard for them.)
Regards,
- Ted
More information about the cryptography
mailing list