[Exherbo-dev] DRAFT corrected version of openssl upgrade howto / news item

Robin Green greenrd at greenrd.org
Fri Nov 19 13:53:12 GMT 2010


Here is my draft corrected version of the openssl upgrade instructions,
as a news item.

One line summary of the correction:
Do "c_rehash /etc/ssl/certs" as well, because a hashing algorithm changed

This is important because: otherwise CA certs won't get found and cert
checking will fail. (Not sure in how many cases, but in some cases, at

We briefly discussed this on IRC and replica doesn't think it's worth
putting a new news item in arbor, but I do. So I don't know if this will
actually be a news item - this email might be the only notification you


-------------- next part --------------
Title: OpenSSL 1.0.0 upgrade procedure (corrected)
Author: Sterling X. Winter <replica at exherbo.org>
Author: Robin Green <greenrd at greenrd.org>
Content-Type: text/plain
Posted: 2010-11-19
Revision: 1
News-Item-Format: 1.0
Display-If-Installed: dev-libs/openssl

NOTE: This news item replaces and updates the news item of the same name
of 2010-10-28. That news item omitted the essential c_rehash command.
All users should run the c_rehash command given below.

dev-libs/openssl[>=1.0.0] has been unmasked. Although this upgrade
breaks ABI we've opted not to slot openssl at this time. This means that
to avoid mass breakage you must follow this upgrade procedure.

Before upgrading, do a global sync, then make sure you have the distfile
for wget stored in your local cache:

    cave sync
    cave resolve -fx0 '*/*' wget

Now upgrade openssl (version 1.0.0a should be unmasked), merge its
configuration changes, and rehash its certs:

    cave resolve -1zx openssl
    eclectic config interactive
    c_rehash /etc/ssl/certs

This breaks some parts of Paludis and a few of its dependencies and
sub-dependencies. To navigate safely out of this mess, rebuild/upgrade
the following packages in order:

1. wget
2. libssh2, curl (you can skip these here if you don't have git[curl]
3. git
4. neon, subversion (you can skip these here if you don't use
5. libarchive
6. paludis (make sure to build the latest -scm revision)

At this point Paludis and its dependencies should be working again. If
something failed to build, it probably depends on something not listed
here that depends on openssl, so identify and rebuild the offending

Finally, let cave fix everything else for you:

    cave fix-linkage -x

More information about the Exherbo-dev mailing list