WIP: (building) Bump openssl to 1.0.2q #3629
Conversation
chickenandpork
force-pushed
the
bump-openssl-to-1.0.2q
branch
from
e0e6854 to
78fbda5
Compare
|
@chickenandpork Large effort. What is specific motivation for this version upgrade? I have already python3 and borgbackup built and published waiting for activation when homeassistant will be ready too... |
|
@chickenandpork You have proposed a PR to include your "all-affected-spks" target. This is closed today. Have you got a more recent version to submit? |
|
That PR was dirty from “all-affected-spks” testing. I’ll push a cleaner one.
… On Feb 16, 2019, at 09:41, Yves Martin ***@***.***> wrote:
@chickenandpork You have proposed a PR to include your "all-affected-spks" target. This is closed today. Have you got a more recent version to submit?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
Keeping SSL libraries updated tends to be a safe course of action.
The testing will require more than a week of build time, but we cannot very easily have different versions of dependencies.
I’ll need more horsepower to do builds faster, so it’ll be a few days.
Allan
… On Feb 16, 2019, at 09:41, Yves Martin ***@***.***> wrote:
@chickenandpork You have proposed a PR to include your "all-affected-spks" target. This is closed today. Have you got a more recent version to submit?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
For information, some websites (and probably many more soon) follow a "rude" recommendation to only allow TLS 1.3 because of flaw in handshake in previous TLS versions. And this requires at least openssl 1.1.1... |
|
So, due to big build requirements, would you suggest to make a bigger jump to OpenSSL-1.1.x ?
Corporate side, we flip between different TLS libraries: the rudeness you observe might also be turning off vulnerable TLS versions due to static analysis tools flagging them as errors.
This is to say: they might not be doing it to be obnoxious, but because a tool they’ve committed to honor to avoid legal risk is now alerting. It’s a hard choice between supporting customers despite risk.
Given the build demand this PR entails, I don’t want to do builds on it yet until I’ve got a bigger machine up. I would estimate the dependency to cause over a week of builds on my current environment and I need to ensure at least the first build involves an empty cache.
… On Feb 18, 2019, at 14:47, Yves Martin ***@***.***> wrote:
For information, some websites (and probably many more soon) follow a "rude" recommendation to only allow TLS 1.3 because of flaw in handshake in previous TLS versions. And this requires at least openssl 1.1.1...
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
For what it's worth, it seems someone tried to introduce |
|
@m4tt075 I did try to upgrade to openssl 1.1 and wrote that section - happy it has been useful. So we may try again and check "most" applications' compatibility. |
|
Possible dupe of #3560 .. working on bigger HW (for the massive build demand) so I’ll back off and see if 3560 merges. There’s perhaps a need for automated canary and federated acceptance/bless of versions across architectures |
|
as openssl is updated to 1.0.1.u this PR got obsolete. |
Motivation: Security
Linked issues:
According to
all-affected-spks, this will require an extensive build:... see you next week! I honestly assume something in this list will fail to build but for unrelated reasons, so there might be a pre-PR with some version-bumps that are necessary to build this one.
Checklist
all-supportedcompleted successfully