Getting rid of -ssl variants by using system-openssl-dev

From the Fink Wiki

Contents 1 Why to merge %N and %N-ssl 2 How to merge %N and %N-ssl using system-openssl.dev 2.1 Preparations 2.2 Using system-openssl-dev 2.3 Providing a smooth upgrade path for end users 3 Pitfalls 3.1 Cascading OpenSSL Dependencies 3.2 SplitOffs and Dependencies 4 Example

Why to merge %N and %N-ssl

I will start by naming some reasons when one might want to merge %N and %N-ssl:

• Legal issues with the OpenSSL package force packages depending on it to use "Restrictive" as License, even if they actually are e.g. GPL. See Fink's packaging policy for details.
• Easier maintenance. Instead of having to maintain two .info files, always having to watch out for inconsistencies, there is only one.
• Less confusion for users. No more "Hm, why is there both sitecopy and sitecopy-ssl, and which do I want? What is this 'SSL' thingy anyway?"
• Less confusion / burden for other package maintainers. Let's say you provide both libfoo and libfoo-ssl. There is this other maintainer who works on the 'quux' package which require libfoo and works fine with either. He now has to worry as to whether to depend on libfoo, libfoo-ssl, or maybe both (if possible). He may even be forced to make a -ssl variant of his own, just to accommodate for your two libfoo variants.

There are cases where such a merge might not be possible or advisable. Some possible reasons:

• The package uses gnutls or mozilla-nss, and not openssl. In that case, you can't use system-openssl-dev and thus the operation described here is not possible
• The package requires a certain version of openssl not provided by (all) system variants your package needs to run. (A rather rare event, though.)
• Some other package yours depends on is using Fink's openssl instead of system-openssl-dev. See also the list of pitfalls below.

How to merge %N and %N-ssl using system-openssl.dev

The following describes the simplest case: There is a package %N and a package %N-ssl, where the latter depends on the openssl or openssl097 package currently. There are no splitoffs and you want to merge the two.

For the sake of this example, we will assume that the package is called "foo" (i.e. %N is "foo"), and that the existing version and revision of both foo and foo-ssl is 1.2.3-4. Our plan is to always enable SSL usage in package foo using system-openssl-dev. To make the transition easier for the user, we also provide a dummy foo-ssl splitoff, marked as an obsolete package.

Preparations

We start out by opening foo.info (and for reference, also foo-ssl.info, although we are later going to delete it). As the very first thing, increase the revision from 4 to 5.

Using system-openssl-dev

Next, we want to enable OpenSSL usage by default. For this, you need to duplicate all changes in foo-ssl which are SSL relevant in your foo.info. This might include adding --with-ssl to your ConfigureParams, or removing --without-ssl from them. Additional build and run-time dependencies may have to be added; maybe even portions of the .patch file (if any) transferred. Being the maintainer of the package, you should be aware of the required changes ;-).

Now, remove all (build) dependencies on openssl, openssl097, openssl-dev etc., and in their place add a BuildDepends on system-openssl-dev. We must make sure that the package actually uses the correct headers and libraries, though. The problem is that those headers and libs are found in /usr/include and /usr/libs, but normally Fink requires all compiles to first look for libraries in /sw/include and /sw/lib -- oops, conflicting requirements. To solve this problem, the system-openssl-dev package provides /sw/lib/system-openssl/include and /sw/lib/system-openssl/lib containing symlinks to the proper headers and libs. You just have to make sure your package uses those by ensuring it looks for files in there first. To achieve that it may be sufficient to add --with-libs=%p/lib/system-openssl to your ConfigureParams. In other cases, adding them to CPPFLAGS/LDFLAGS manually may work, e.g.

SetCPPFLAGS: -I%p/lib/system-openssl/include
SetLDFLAGS: -L%p/lib/system-openssl/lib

In some cases you may have to patch the package build systems to work correctly.

At this point, we have completed part 1 of the conversion. The new foo-1.2.3-5 should build correctly and provide SSL support. You may want to verify that.

Providing a smooth upgrade path for end users

We could stop now. The problem is: Users who are using your foo-ssl package may never notice the update. After all, there is no new version of foo-ssl out there, and they are not using foo, so they may never make the switch. Not good.

So, we will add a dummy foo-ssl splitoff which will take care of the upgrade for users doing a fink update-all. In addition, we will mark it as obsolete.

Modify the Conflicts and Replaces fields of package foo. If they used to be something like

Conflicts: foo-ssl
Replaces: foo-ssl

then change them to

Conflicts: foo-ssl (<< 1.2.3-5)
Replaces: foo-ssl (<< 1.2.3-5)

This is necessary because we don't want the dummy foo-ssl splitoff we are going to create to conflict with foo (else the smooth upgrade would be impossible).

Then add the following to foo.info:

SplitOff: <<
  Package: %N-ssl
  Depends: %N (= %v-%r), fink-obsolete-packages
  InstallScript: <<
    mkdir -p %i/share/doc/installed-packages
    touch %i/share/doc/installed-packages/%n
  <<
  Description: Placeholder package to update to unified %N. (OBSOLETE)
<<

Pitfalls

Cascading OpenSSL Dependencies

One major pitfall to watch out for is when you depend on other packages which require OpenSSL. E.g. sitecopy depends also on the neon library, which itself uses SSL. In that case, you must make sure that no mixup occurs with respect to OpenSSL. In particular, you (probably?) can only switch to system-openssl-dev once all your dependencies also made the switch. Else, you would end up linking to both the system's OpenSSL directly, and Fink's OpenSSL indirectly, which can lead to all sorts of problems, ranging from compiler/linker errors up to subtle malfunctions and crashes.

SplitOffs and Dependencies

If a package using Fink's OpenSSL has other packages depending on it, chances are you will need to make a new name for the package, to provide a clean upgrade path. By convention, these are called "[your package]-unified". The reason this is necessary is because if you have a package like so:

 Package: foo-core-ssl
 Depends: %N-shlibs (= %v-%r)
 Conflicts: foo-core
 Replaces: foo-core
 SplitOff: <<
   Package: %N-shlibs
   Conflicts: foo-core-shlibs
   Replaces: foo-core-shlibs
 <<

...and then another package depends on it:

 Package: foo-base-ssl
 Depends: %N-shlibs (= %v-%r)
 Conflicts: foo-base
 Replaces: foo-base
 SplitOff: <<
   Package: %N-shlibs
   Depends: foo-core-ssl-shlibs (>= 1.4-1)
   Conflicts: foo-base-shlibs
   Replaces: foo-base-shlibs
 <<

...it is impossible to turn "foo-ssl" into just "foo" becaused of the versioned dependency on the foo-ssl-shlibs package. (In theory, dpkg/fink could be made smart enough to force this behavior, but currently it bombs out.)

The solution is to turn "foo-core" into a "unified" package that merges ssl and non-ssl, and then provides splitoffs for backwards compatibility (note the "Replaces" without "Conflicts" in the real packages, and the >= instead of = for the backwards-compatibility packages):

 Package: foo-core-unified
 Depends: %N-shlibs (= %v-%r)
 Replaces: foo-core
 SplitOff: <<
   Package: %N-shlibs
   Replaces: foo-core-shlibs
 <<
 SplitOff2: <<
   Package: foo-core
   Depends: %N (>= %v-%r)
 <<
 SplitOff3: <<
   Package: foo-core-shlibs
   Depends: %N-shlibs (>= %v-%r)
 <<
 SplitOff4: <<
   Package: foo-core-ssl
   Depends: %N (>= %v-%r)
 <<
 SplitOff5: <<
   Package: foo-core-ssl-shlibs
   Depends: %N-shlibs (>= %v-%r)
 <<

Example

Before the conversion:

Package: foo
Version: 1.2.3
Revision: 4
Maintainer: John Smith <john.smith@dummy.dom>
Depends: libgettext3-shlibs
BuildDepends: libgettext3-dev, gettext-bin, gettext-tools
Conflicts: foo-ssl
Replaces: foo-ssl
ConfigureParams: --without-ssl
DocFiles: COPYING
Description: Pseudo package, for demo purposes only
License: GPL

Package: foo-ssl
Version: 1.2.3
Revision: 4
Maintainer: John Smith <john.smith@dummy.dom>
Depends: libgettext3-shlibs, openssl097-shlibs
BuildDepends: libgettext3-dev, gettext-bin, gettext-tools, openssl097-dev
Conflicts: foo
Replaces: foo
ConfigureParams: --with-ssl
DocFiles: COPYING
Description: Pseudo package, for demo purposes only (with SSL)
License: GPL

After the conversion:

Package: foo
Version: 1.2.3
Revision: 5
Maintainer: John Smith <john.smith@dummy.dom>
Depends: libgettext3-shlibs
BuildDepends: libgettext3-dev, gettext-bin, gettext-tools, system-openssl-dev
Conflicts: foo-ssl (<< 1.2.3-4)
Replaces: foo-ssl (<< 1.2.3-4)
ConfigureParams: --with-ssl --with-libs=%p/lib/system-openssl
DocFiles: COPYING
Description: Pseudo package, for demo purposes only
License: GPL
SplitOff: <<
  Package: %N-ssl
  Depends: %N (= %v-%r), fink-obsolete-packages
  InstallScript: <<
    mkdir -p %i/share/doc/installed-packages
    touch %i/share/doc/installed-packages/%n
  <<
  Description: Placeholder package to update to unified %N. (OBSOLETE)
<<