pkgsrc-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Will OpenSSL 1.1l be back ported to 2021Q2?

* On 2021-09-02 at 00:47 BST, Greg Troxel wrote:

"Morgan, Iain (ARC-TN)[InuTeq, LLC]" <> writes:

Although OpenSSL 1.1l appears in pkgsrc HEAD, it doesn't look like it
has been backported to the 2021Q2 release. Since this update addresses
a security issue which is identified as High by the OpenSSL
developers, please backport it to the current release.

Perhaps TNF should offer support contracts for this sort of thing, but
they'd probaly have to be priced high enough to hire 0.5 FTE.  Even if
there were no guarantees, phrasing it that way might make it easier for
entities like NASA to provide funding.  I find it really unfortunate how
donating to open source code that's being used seems much harder in a
corporate environment than paying for proprietary software licenses.

An available option are the pkgsrc Q4 branches that I maintain as LTS releases for 3 years for my SmartOS users. Obviously over time the older branches get fewer updates as it gets progressively more difficult to backport and test changes, but if you don't mind branches older than the most recent quarterly then these may be suitable:

Otherwise for quite a few years now I've simply been recommending that users follow trunk, as you always get all of the latest security fixes and stable releases. If you're building packages yourself then you'll need some buffer between building and deploying to ensure that everything you need is still working, but for my binary package users this has worked very well (modulo the recent haproxy -fwrapv screwup).

Jonathan Perkin  -  Joyent, Inc.  -

Home | Main Index | Thread Index | Old Index