pkgsrc-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: [EXTERNAL] Re: Will OpenSSL 1.1l be back ported to 2021Q2?

Hi Greg,

Thanks for the response. I was suspecting that the delay between when I sent the message and when it appeared on the mailing list (presumably due to greylisting somewhere) was complicating matters.

I had been contemplating something similar to what you suggested, except that I'm using git rather than cvs. But, I was waiting to see if there would be an official backport.

I'll give it a try and reply to the list with my results. Since it's just a change from 1.1k to 1.1.l I am (perhaps naively) assuming that nothing should break.

And, I agree with you; it would be great if there was an easier way for governmental organizations to support the open source community. Having said that, I am obligated to say that any statements are solely my own opinion and do not represent NASA.

Thanks and regards,


On 9/1/21, 16:47, "Greg Troxel" <> wrote:

    "Morgan, Iain (ARC-TN)[InuTeq, LLC]" <> writes:

    > Not having seen any response, I assume that this question was overlooked.

    I would assume instead that a lot of people saw it, thought that a
    pullup, if done with no stability issues, would probably be good, that
    doing so would be a lot of work, that Q2 has only about 30 days left,
    and that they personally weren't going to do this.

    > Although OpenSSL 1.1l appears in pkgsrc HEAD, it doesn't look like it
    > has been backported to the 2021Q2 release. Since this update addresses
    > a security issue which is identified as High by the OpenSSL
    > developers, please backport it to the current release.

    You can certainly "cvs up -A" in security/openssl and "make replace".
    That should get you the fixes, and also any resulting stability issues.
    You can then let us know how that went; it would be helpful for others
    doing the same, as well as a data point for anyone contemplating doing a
    pullup (which is required to be ABI stable).

    I'm curious what plaatform you are using it on, and if you're doing
    binary builds yourself.

    Perhaps TNF should offer support contracts for this sort of thing, but
    they'd probaly have to be priced high enough to hire 0.5 FTE.  Even if
    there were no guarantees, phrasing it that way might make it easier for
    entities like NASA to provide funding.  I find it really unfortunate how
    donating to open source code that's being used seems much harder in a
    corporate environment than paying for proprietary software licenses.

Home | Main Index | Thread Index | Old Index