[Cryptography] Apple and OpenSSL

Ben Laurie ben at links.org
Tue Apr 22 17:15:44 EDT 2014 

On 21 April 2014 01:01, Theodore Ts'o <tytso at mit.edu> wrote:
> On Sun, Apr 20, 2014 at 11:23:03PM +0100, Ben Laurie wrote:
>> > The problem is, as I said above, that OpenSSL does not have a
>> > stable ABI
>>
>> OpenSSL does have a stable ABI.
>
> I remember participating in discussions with OpenSSL in the context of
> the Linux Standard Base (LSB) which is very much about stable ABI's.
> At least at one point, the commitment that the OpenSSL folks were
> willing to make is that the ABI would be stable within a micro release
> level.  That is, 0.9.N and 1.0.N would remain ABI stable so long as N
> didn't increment.
>
> But historically, every two years or so, N would bump, and that point,
> you would need to bump the major SOVERSION of the shared library,
> because there would be ABI breakage.
>
> Many other packages try much harder to only add new functions, but to
> not break any existing functions once they are added to the shared
> library.  However, this is much more difficult if the library has
> exposed many structures as part of the ABI, such that it is incredibly
> difficult to change the data structures without breaking the ABI.
>
> If you design your interfaces to maximize ABI stability (and you don't
> use C++, because every single time you add even a private variable to
> the base class, it breaks ABI compatibility for all of the
> subclasses), it is possible to make this kind of ABI stability for far
> longer than "we'll break the world every year or two".
>
> So when you say "stable ABI", it's important that you set expectations
> for what you mean by that.  Some people are willing to make much more
> stringent promises of ABI stability than others.  I've run Linux
> binaries dating back from the late nineties on modern kernels without
> a problem.  That's a much different level of ABI stability than what
> OpenSSL has promised or has delivered in the past.  (Although to be
> fair, they have a legacy code base and a legacy set of interfaces that
> make life very hard for them.)

Ah, so that'll be why when I do:

$ ls /lib/*.so*

they are all .so.0.

Not!

Anyway, yes, you are right that the promise we make is that the ABI is
only stable within versions that have the same digits in their version
number (which is not what I would call a micro release - that is
indicated by the letter following the version number).

More information about the cryptography mailing list