From lucas.gonze at gmail.com  Fri Jul 28 18:15:59 2023
From: lucas.gonze at gmail.com (Lucas Gonze)
Date: Fri, 28 Jul 2023 14:15:59 -0400
Subject: [cppget] git tags or versions
Message-ID: <CACvjfPkZBi3Cr04wbyzqaKLRm0TruxwVPQPbdEVx+6f_awNgvQ@mail.gmail.com>

Is it safe to assume that these libraries were built from 1.1.1 branch?

libcrypto 1.1
libssl 1.1

The back story is that I am assisting a company that will be including
those binaries in its product and needs to comply with the GPL requirement
to provide source code. To do that I need to find the version of the source
that corresponds to the binaries.

I believe but am not certain that all versions with a 1.1.1 tag are built
into binaries with 1.1 in the name.

For example, https://github.com/openssl/openssl/releases/tag/OpenSSL_1_1_1s
would produce a libcrypto with version 1.1.

Thanks in advance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.cppget.org/archives/users/attachments/20230728/7dc6c5c8/attachment.html>

From boris at codesynthesis.com  Mon Jul 31 14:53:08 2023
From: boris at codesynthesis.com (Boris Kolpackov)
Date: Mon, 31 Jul 2023 16:53:08 +0200
Subject: [cppget] git tags or versions
In-Reply-To: <CACvjfPkZBi3Cr04wbyzqaKLRm0TruxwVPQPbdEVx+6f_awNgvQ@mail.gmail.com>
References: <CACvjfPkZBi3Cr04wbyzqaKLRm0TruxwVPQPbdEVx+6f_awNgvQ@mail.gmail.com>
Message-ID: <boris.20230731163759@codesynthesis.com>

Lucas Gonze via users <users at cppget.org> writes:

> Is it safe to assume that these libraries were built from 1.1.1 branch?
> 
> libcrypto 1.1
> libssl 1.1

Hm, are you referring to the .so binaries (e.g., libcrypto-1.1.so) that
were built from the build2 libcrypto package[1]?

If the answer is yes, then, yes, all the libcrypto-1.1.so binaries
would have been built from the libcrypto-1.1.1+X packages which in
turn are all based on (upstream) OpenSSL 1.1.1Y.

Generally, if you want to trace the provenance of a binary that was
built from a build2 package, the recommended procedure would be:

1. Determine the version of the source package that this binary
   has been built from. So in the above example it could be:

   libcrypto-1.1.so -> 1.1.1+21

2. If the source package doesn't use the same versioning scheme as
   upstream, then look for the upstream-version value. So in the above
   example:

   1.1.1+21 -> 1.1.1u

3. If you want to trace the version to upstream commit id, use the
   package-url value to locate the package git repository. In the
   above example:

   package-url: git.build2.org/cgit/packaging/openssl/

   Then, in that git repository locate the v<version> tag (v1.1.1+21
   in the above example) and from that tag get the commit id of the
   upstream submodule (70c2912 in the above example).

   You can then take this commit id and use it in the upstream git
   repository. In the above example:

   https://github.com/openssl/openssl/commit/70c2912


[1] https://cppget.org/libcrypto