Comment 18 for bug 1794589

Le ven. 2 nov. 2018 à 18:41, Steve Langasek <email address hidden>
a écrit :

> This is expected behavior. These two stacks are incompatible, and while
> they use symbol versions so will not cause overt ABI problems when
> loaded into the same namespace, there are still some opaque structures
> that could be problems when passed between two libraries that each
> depend on different versions of openssl. So the value of making the
> -dev packages coinstallable is small from the perspective of the
> distribution, the costs large given that relocating one or the other
> library means reverse-dependencies would also need updating to be able
> to find it at build time, and the risks of anything built against both
> versions of libssl significant.

Hi,

i've just dug into that matter, and here are my conclusions:
- it is quite easy to build and use embedded copy of openssl, and since
Node is doing its own security tracking, it might be a realistic solution
to just do that.
- upstream is developing openssl 1.1.1 compatibility, tests pass on linux,
see https://github.com/nodejs/node/issues/18770, in which case this is
needed to pass tests without heavily patching the test suite:
https://salsa.debian.org/js-team/nodejs/commit/60488253f26c6585a816e292a742fca40afee192
- breaking ABI is now covered by
https://github.com/nodejs/node/blob/master/BUILDING.md#note-for-downstream-distributors-of-nodejs,
so i opened an issue here for debian. I suppose ubuntu could use same
versions: https://github.com/nodejs/TSC/issues/621
- nodejs 10.13 is waiting in NEW/experimental. As soon as it is accepted
i'll backport the work on nodejs 8 branch, in case nodejs 10 doesn't make
it before debian freeze.

Jérémy