Re: Will OpenSSL 1.1l be back ported to 2021Q2?

To: Greg Troxel <gdt%lexort.com@localhost>
Subject: Re: Will OpenSSL 1.1l be back ported to 2021Q2?
From: "Morgan, Iain (ARC-TN)[InuTeq, LLC]" <iain.morgan%nasa.gov@localhost>
Date: Thu, 2 Sep 2021 00:23:11 +0000

Oh, I forgot to answer your question. I'm doing a source build for RHEL 7.

-- 
Iain

On 9/1/21, 17:19, "Morgan, Iain (ARC-TN)[InuTeq, LLC]" <iain.morgan%nasa.gov@localhost> wrote:

    Hi Greg,

    Thanks for the response. I was suspecting that the delay between when I sent the message and when it appeared on the mailing list (presumably due to greylisting somewhere) was complicating matters.

    I had been contemplating something similar to what you suggested, except that I'm using git rather than cvs. But, I was waiting to see if there would be an official backport.

    I'll give it a try and reply to the list with my results. Since it's just a change from 1.1k to 1.1.l I am (perhaps naively) assuming that nothing should break.

    And, I agree with you; it would be great if there was an easier way for governmental organizations to support the open source community. Having said that, I am obligated to say that any statements are solely my own opinion and do not represent NASA.

    Thanks and regards,

    -- 
    Iain

    On 9/1/21, 16:47, "Greg Troxel" <gdt%lexort.com@localhost> wrote:


        "Morgan, Iain (ARC-TN)[InuTeq, LLC]" <iain.morgan%nasa.gov@localhost> writes:

        > Not having seen any response, I assume that this question was overlooked.

        I would assume instead that a lot of people saw it, thought that a
        pullup, if done with no stability issues, would probably be good, that
        doing so would be a lot of work, that Q2 has only about 30 days left,
        and that they personally weren't going to do this.

        > Although OpenSSL 1.1l appears in pkgsrc HEAD, it doesn't look like it
        > has been backported to the 2021Q2 release. Since this update addresses
        > a security issue which is identified as High by the OpenSSL
        > developers, please backport it to the current release.

        You can certainly "cvs up -A" in security/openssl and "make replace".
        That should get you the fixes, and also any resulting stability issues.
        You can then let us know how that went; it would be helpful for others
        doing the same, as well as a data point for anyone contemplating doing a
        pullup (which is required to be ABI stable).

        I'm curious what plaatform you are using it on, and if you're doing
        binary builds yourself.

        Perhaps TNF should offer support contracts for this sort of thing, but
        they'd probaly have to be priced high enough to hire 0.5 FTE.  Even if
        there were no guarantees, phrasing it that way might make it easier for
        entities like NASA to provide funding.  I find it really unfortunate how
        donating to open source code that's being used seems much harder in a
        corporate environment than paying for proprietary software licenses.

Prev by Date: Re: [EXTERNAL] Re: Will OpenSSL 1.1l be back ported to 2021Q2?
Next by Date: Re: Will OpenSSL 1.1l be back ported to 2021Q2?
Previous by Thread: Re: [EXTERNAL] Re: Will OpenSSL 1.1l be back ported to 2021Q2?
Next by Thread: Re: Will OpenSSL 1.1l be back ported to 2021Q2?
Indexes:

Home | Main Index | Thread Index | Old Index