RE: mod_ssl warning with apache-2.4.46nb1

To: "'Greg Troxel'" <gdt%lexort.com@localhost>
Subject: RE: mod_ssl warning with apache-2.4.46nb1
From: "Richard Sass" <richard.sass%seqent.com@localhost>
Date: Fri, 11 Dec 2020 09:45:28 -0500

Greg Thanks

I'll look at going to 9.1.

Curious, pkgin is generally pointed to
http://nyftp.netbsd.org/pub/pkgsrc/packages/NetBSD/$arch/$osrelease/All why
would I want to use 9.0_2020Q3 after upgrading to 9.1?

-----Original Message-----
From: netbsd-users-owner%NetBSD.org@localhost <netbsd-users-owner%NetBSD.org@localhost> On
Behalf Of Greg Troxel
Sent: Thursday, December 10, 2020 12:15 PM
To: Richard Sass <richard.sass%seqent.com@localhost>
Cc: 'netbsd-users' <netbsd-users%netbsd.org@localhost>
Subject: Re: mod_ssl warning with apache-2.4.46nb1


The basic point is that you must have all installed packages from a
consistent build, which is either:

  the same bulk build (published by someone who did it right)

or

  all built by you from the same pkgsrc

or, more trikcy

  a mix of binary and yours but all built from the same pkgsrc branch
  and built on the same OS with the same config


In this case, it seems you are using old NetBSD and pkgsrc is built
against a newer version than 9.0 because there are some bugs ixed that
matter tor other things (rust, not apache AFAIK).


My advice is:

  Update to NetBSD 9.1
  point pkgin to 2020Q3
https://ftp.netbsd.org/pub/pkgsrc/packages/NetBSD/amd64/9.0_2020Q3/
    (perhpas you already have)
  pkgin fug

NetBSD simply does not have the resources to do builds for the massive
combination of older formal releases and CCPU architectures.

In theory changes alonga branch, such as from 9.0 to 9.1, do not involve
ABI changes.  As far as I know, this property in fact holds for the
netbsd-8 and netbsd-9 branches.  So there is probably no actual problem
in terms of compat.


Also, openssl 1.1.1g really ought to be binary compatible with 1.1.1d.
If not that's an openssl bug, and it's a bug in NetBSD that we applied
it on the branch.  But, my best guest is that it's toally fine.

Entirely separately from compat, you should be running recent openssl
anyway, as a matter of security best practices.

Follow-Ups:
- Re: mod_ssl warning with apache-2.4.46nb1
  - From: Greg Troxel

References:
- mod_ssl warning with apache-2.4.46nb1
  - From: Richard Sass
- Re: mod_ssl warning with apache-2.4.46nb1
  - From: Greg Troxel

Prev by Date: Re: radeon card on 9.1
Next by Date: Re: mod_ssl warning with apache-2.4.46nb1
Previous by Thread: Re: mod_ssl warning with apache-2.4.46nb1
Next by Thread: Re: mod_ssl warning with apache-2.4.46nb1
Indexes:

Home | Main Index | Thread Index | Old Index