4 files changed, 7 insertions, 35 deletions
diff --git a/debian/changelog b/debian/changelog
index 02909e99f..603ca1a3e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -49,6 +49,13 @@ openssh (1:5.4p1-1) UNRELEASED; urgency=low
  * Remove SSHD_OOM_ADJUST configuration.  sshd now unconditionally makes
    itself non-OOM-killable, and doesn't require configuration to avoid log
    spam in virtualisation containers (closes: #555625).
+  * Drop Debian-specific removal of OpenSSL version check.  Upstream ignores
+    the two patchlevel nybbles now, which is sufficient to address the
+    original reason this change was introduced, and it appears that any
+    change in the major/minor/fix nybbles would involve a new libssl package
+    name.  (We'd still lose if the status nybble were ever changed, but that
+    would mean somebody had packaged a development/beta version rather than
+    a proper release, which doesn't appear to be normal practice.)
 -- Colin Watson <cjwatson@debian.org>  Mon, 01 Mar 2010 12:24:41 +0000
diff --git a/debian/patches/no-openssl-version-check.patch b/debian/patches/no-openssl-version-check.patch
deleted file mode 100644
index 82f1fa472..000000000
--- a/debian/patches/no-openssl-version-check.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-Description: Disable OpenSSL version check
- It may be that this patch should be replaced by more accurate dependencies,
- and it certainly doesn't seem suitable for upstream.  This is a very old
- change, though, and needs review of current practices in Debian's OpenSSL
- package.
-Author: Philip Hands <phil@hands.com>
-Bug-Debian: http://bugs.debian.org/93581
-Forwarded: not-needed
-Last-Update: 2010-02-28
-Index: b/entropy.c
-===================================================================
--- a/entropy.c
-+++ b/entropy.c
-@@ -151,6 +151,8 @@
- void
- init_rng(void)
- {
-+#if defined (DISABLED_BY_DEBIAN)
-+  /* drow: Is this check still too strict for Debian?  */
-        /*
-         * OpenSSL version numbers: MNNFFPPS: major minor fix patch status
-         * We match major, minor, fix and status (not patch)
-@@ -158,6 +160,7 @@
-        if ((SSLeay() ^ OPENSSL_VERSION_NUMBER) & ~0xff0L)
-                fatal("OpenSSL version mismatch. Built against %lx, you "
-                    "have %lx", OPENSSL_VERSION_NUMBER, SSLeay());
-+#endif
- 
- #ifndef OPENSSL_PRNG_ONLY
-        original_uid = getuid();
diff --git a/debian/patches/series b/debian/patches/series
index aaee184ee..03a17ba91 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -44,6 +44,5 @@ doc-connection-sharing.patch
 doc-hash-tab-completion.patch
 # Debian-specific configuration
-no-openssl-version-check.patch
 gnome-ssh-askpass2-icon.patch
 debian-config.patch
diff --git a/entropy.c b/entropy.c
index 3f63239f4..8b705397f 100644
--- a/entropy.c
+++ b/entropy.c
@@ -151,8 +151,6 @@ seed_rng(void)
 void
 init_rng(void)
 {
-#if defined (DISABLED_BY_DEBIAN)
-  /* drow: Is this check still too strict for Debian?  */
        /*
         * OpenSSL version numbers: MNNFFPPS: major minor fix patch status
         * We match major, minor, fix and status (not patch)
@@ -160,7 +158,6 @@ init_rng(void)
        if ((SSLeay() ^ OPENSSL_VERSION_NUMBER) & ~0xff0L)
                fatal("OpenSSL version mismatch. Built against %lx, you "
                    "have %lx", OPENSSL_VERSION_NUMBER, SSLeay());
-#endif
 #ifndef OPENSSL_PRNG_ONLY
        original_uid = getuid();

diff --git a/debian/changelog b/debian/changelog index 02909e99f..603ca1a3e 100644 --- a/debian/changelog +++ b/debian/changelog
@@ -49,6 +49,13 @@ openssh (1:5.4p1-1) UNRELEASED; urgency=low
49	* Remove SSHD_OOM_ADJUST configuration. sshd now unconditionally makes	49	* Remove SSHD_OOM_ADJUST configuration. sshd now unconditionally makes
50	itself non-OOM-killable, and doesn't require configuration to avoid log	50	itself non-OOM-killable, and doesn't require configuration to avoid log
51	spam in virtualisation containers (closes: #555625).	51	spam in virtualisation containers (closes: #555625).
		52	* Drop Debian-specific removal of OpenSSL version check. Upstream ignores
		53	the two patchlevel nybbles now, which is sufficient to address the
		54	original reason this change was introduced, and it appears that any
		55	change in the major/minor/fix nybbles would involve a new libssl package
		56	name. (We'd still lose if the status nybble were ever changed, but that
		57	would mean somebody had packaged a development/beta version rather than
		58	a proper release, which doesn't appear to be normal practice.)
52		59
53	-- Colin Watson <cjwatson@debian.org> Mon, 01 Mar 2010 12:24:41 +0000	60	-- Colin Watson <cjwatson@debian.org> Mon, 01 Mar 2010 12:24:41 +0000
54		61


diff --git a/debian/patches/no-openssl-version-check.patch b/debian/patches/no-openssl-version-check.patch deleted file mode 100644 index 82f1fa472..000000000 --- a/debian/patches/no-openssl-version-check.patch +++ /dev/null
@@ -1,31 +0,0 @@
1	Description: Disable OpenSSL version check
2	It may be that this patch should be replaced by more accurate dependencies,
3	and it certainly doesn't seem suitable for upstream. This is a very old
4	change, though, and needs review of current practices in Debian's OpenSSL
5	package.
6	Author: Philip Hands <phil@hands.com>
7	Bug-Debian: http://bugs.debian.org/93581
8	Forwarded: not-needed
9	Last-Update: 2010-02-28
10
11	Index: b/entropy.c
12	===================================================================
13	--- a/entropy.c
14	+++ b/entropy.c
15	@@ -151,6 +151,8 @@
16	void
17	init_rng(void)
18	{
19	+#if defined (DISABLED_BY_DEBIAN)
20	+ /* drow: Is this check still too strict for Debian? */
21	/*
22	* OpenSSL version numbers: MNNFFPPS: major minor fix patch status
23	* We match major, minor, fix and status (not patch)
24	@@ -158,6 +160,7 @@
25	if ((SSLeay() ^ OPENSSL_VERSION_NUMBER) & ~0xff0L)
26	fatal("OpenSSL version mismatch. Built against %lx, you "
27	"have %lx", OPENSSL_VERSION_NUMBER, SSLeay());
28	+#endif
29
30	#ifndef OPENSSL_PRNG_ONLY
31	original_uid = getuid();


diff --git a/debian/patches/series b/debian/patches/series index aaee184ee..03a17ba91 100644 --- a/debian/patches/series +++ b/debian/patches/series
@@ -44,6 +44,5 @@ doc-connection-sharing.patch
44	doc-hash-tab-completion.patch	44	doc-hash-tab-completion.patch
45		45
46	# Debian-specific configuration	46	# Debian-specific configuration
47	no-openssl-version-check.patch
48	gnome-ssh-askpass2-icon.patch	47	gnome-ssh-askpass2-icon.patch
49	debian-config.patch	48	debian-config.patch


diff --git a/entropy.c b/entropy.c index 3f63239f4..8b705397f 100644 --- a/entropy.c +++ b/entropy.c
@@ -151,8 +151,6 @@ seed_rng(void)
151	void	151	void
152	init_rng(void)	152	init_rng(void)
153	{	153	{
154	#if defined (DISABLED_BY_DEBIAN)
155	/* drow: Is this check still too strict for Debian? */
156	/*	154	/*
157	* OpenSSL version numbers: MNNFFPPS: major minor fix patch status	155	* OpenSSL version numbers: MNNFFPPS: major minor fix patch status
158	* We match major, minor, fix and status (not patch)	156	* We match major, minor, fix and status (not patch)
@@ -160,7 +158,6 @@ init_rng(void)
160	if ((SSLeay() ^ OPENSSL_VERSION_NUMBER) & ~0xff0L)	158	if ((SSLeay() ^ OPENSSL_VERSION_NUMBER) & ~0xff0L)
161	fatal("OpenSSL version mismatch. Built against %lx, you "	159	fatal("OpenSSL version mismatch. Built against %lx, you "
162	"have %lx", OPENSSL_VERSION_NUMBER, SSLeay());	160	"have %lx", OPENSSL_VERSION_NUMBER, SSLeay());
163	#endif
164		161
165	#ifndef OPENSSL_PRNG_ONLY	162	#ifndef OPENSSL_PRNG_ONLY
166	original_uid = getuid();	163	original_uid = getuid();