pkgsrc-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Will OpenSSL 1.1l be back ported to 2021Q2?



"Morgan, Iain (ARC-TN)[InuTeq, LLC]" <iain.morgan%nasa.gov@localhost> writes:

> Not having seen any response, I assume that this question was overlooked.

I would assume instead that a lot of people saw it, thought that a
pullup, if done with no stability issues, would probably be good, that
doing so would be a lot of work, that Q2 has only about 30 days left,
and that they personally weren't going to do this.

> Although OpenSSL 1.1l appears in pkgsrc HEAD, it doesn't look like it
> has been backported to the 2021Q2 release. Since this update addresses
> a security issue which is identified as High by the OpenSSL
> developers, please backport it to the current release.

You can certainly "cvs up -A" in security/openssl and "make replace".
That should get you the fixes, and also any resulting stability issues.
You can then let us know how that went; it would be helpful for others
doing the same, as well as a data point for anyone contemplating doing a
pullup (which is required to be ABI stable).

I'm curious what plaatform you are using it on, and if you're doing
binary builds yourself.

Perhaps TNF should offer support contracts for this sort of thing, but
they'd probaly have to be priced high enough to hire 0.5 FTE.  Even if
there were no guarantees, phrasing it that way might make it easier for
entities like NASA to provide funding.  I find it really unfortunate how
donating to open source code that's being used seems much harder in a
corporate environment than paying for proprietary software licenses.

Attachment: signature.asc
Description: PGP signature



Home | Main Index | Thread Index | Old Index