"Christoph M. Becker" in php.internals (Thu, 5 Sep 2024 19:19:45 +0200): >I'm still not happy considering that this would still leave more than >one year of lacking upstream support, where our Windows builds might >need to be fixed with some publicly available patches, in case there are >any security vulnerabilites (I'm presuming that the PHP project will not >afford a support contract; it seems these don't even apply to Open >Source downstream consumers). > >So I wonder about the stability of OpenSSL minor versions nowadays, and >whether we want to update to a new minor version during the lifecycle of >a PHP minor release. For instance regarding PHP 8.3, we may consider >updating OpenSSL to 3.4 roughly in a year, when PHP 8.3 has still actve >support for about four months, so we could still react to issues with >that update.
OpenSSL 3.5 has been marked as LTS now and supported up until 2030-04-08. https://openssl-library.org/policies/releasestrat/index.html This might be a good time to update OpenSSL to 3.5. OpenSSL 3.5.2 has been released today. Could we release PHP 8.5 with OpenSSL 3.5.2 and implement this change before the feature freeze? -- Jan
