Re: openssl 3

[christos%astron.com@localhost (Christos Zoulas)]

In article <rmio88a8c7t.fsf%s1.lexort.com@localhost>,
Greg Troxel  <gdt%lexort.com@localhost> wrote:
>-=-=-=-=-=-
>
>
>This is a software engineering question, not a security question and
>hence here.
>
>openssl 3.0.0 is out, and it has a lot of compat issues.
>I hear that openssl 1.1.1 only has two years of maintenance left.
>
>history: 8 was released in July 2018 and 9 in february 2020.  At that
>pace, 10 will be released in September 2021, but there are only 12 hours
>left :-)
>
>I observe that 10, if released in April 2022 (just making that up), can
>be expected to need support until mid 2026.  And 9 will need support until
>2024.
>
>Hence, I'm going to ignore 8, as it will be out of support long before
>1.1.1 is desupported upstream (but don't quote on that in fall of 2023).
>
>
>What are people thinking about
>
>  updating openssl to 3.0.0 in current
>
>  if so, the effects on building pkgsrc and how to sequence that
>
>  pulling up openssl 3 to 9?
>
>
>I am guessing:
>
>  pkgsrc needs to be able to cope with 3.0.0 first
>
>  openssl 3.0.0 should go in current, for 10
>
>  9 and esp 8 will not get pullups.  It's an ABI break and not allowed.
>  
>
>(Asking with pkgsrc-pmc hat on as we have similar questions in pkgsrc
>and all of this is a bit tangled.)

My thoughts are:
- It is too late to put OpenSSL-3.0.0 un current, to become part of NetBSD-10.
- After the NetBSD-10 branch, I will move OpenSSL-1.1.1 to openssl.old and
  import OpenSSL-3.0.0 in openssl. Every port will point to openssl.old.
- I will provide OpenSSL-3.0.0 source compatibility to OpenSSL-1.1.1 if needed
  (like I did for OpenSSL-1.1.x and OpenSSL-1.0.x) by adding the missing
  functionality if needed (and if possible)
- I will make HEAD work with both OpenSSL-3.0.0 and OpenSSL-1.1.1.
- I will switch all ports to use OpenSSL-3.0.0
- Unfortunately pkgsrc will suffer the same way it did in the previous
  upgrade.

christos