> That's the catch here. Subversion does not ship with OpenSSL by
> itself. From Subversion's point of view this is a 3rd-party
> dependency. You can easily build Subversion 1.9.x/1.10.x with OpenSSL
> 1.0.x. Whether or not you run into this issue therefore is outside the
> scope of Subversion IMO. It's something the distribution of Subversion
> (in your case the Debian Subversion distribution) should document.
> Note that in principle you could very well run into the same situation
> with Subversion 1.8 or even 1.7, if you build one version with OpenSSL
> <= 1.0 and the other with OpenSSL >= 1.1 (or set certain OpenSSL
> configs which also would flag md5 digests as being too weak with older
> OpenSSL versions).
> It could be something worthwhile adding to the FAQ however, though
> then in a more general manner like:
> Troubleshooting Subversion SSL connection.
The FAQ seems to be a good place.
Nevertheless, in such situations we are probably not the only ones
looking primarily into the Subversion release notes, not so much into
the Debian documentation or Subversion FAQ, because the problem
seemingly was caused - in simple terms - by the Subversion update.
Also note that new releases of distributions of Subversion are usually
strongly correlated with new Subversion releases.
So I still suggest to also put a warning in the Subversion release
notes, for example:
"Your distribution may also upgrade OpenSSL along with the Subversion
upgrade, which may cause trouble, see xxxx in the FAQ."
At least us it would have spared a lot of time ;-)
Even if you may insist that this logically the "wrong" place, sometimes
a note in such a "wrong" place can be very helpful for users who are
looking in that "wrong" place, ;-)
Received on 2018-08-01 12:58:50 CEST