Re: [OE-core][scarthgap][RFC PATCH 0/1] openssl: upgrade 3.2.6 -> 3.5.4

[Yoann Congal via lists.openembedded.org]

On Mon Feb 2, 2026 at 4:38 PM CET, Yoann Congal wrote:
> Le sam. 31 janv. 2026 à 19:47, Marko, Peter <peter.ma...@siemens.com> a
> écrit :
>
>> I have checked the m2crypto build issue and found out that I had to fix
>> this for newer Yocto releases already.
>>
>>
>> https://git.openembedded.org/meta-openembedded/commit/?id=f9158ce32fffa6f18eed4008c3295146c81d55ea
>>
>> Applying this commit to scarthgap works, so I have submitted it.
>>
>> https://lists.openembedded.org/g/openembedded-devel/message/124019
>>
>
>  Thanks Peter,
>
> I've put that m2crypto patch on a branch and ran a full meta-openembedded
> world build (every layers under meta-openembedded)
> https://autobuilder.yoctoproject.org/valkyrie/?#/builders/81/builds/1285
> => Only warnings (reference to TMPDIR [buildpaths]) that are most likely
> not related to the openssl upgrade

I've run this build again (with a more recent scarthgap
oe-core & meta-openembedded):
* Since the m2crypto patch has merged, meta-openembedded is on scarthgap
  without additionnal patches.
* https://autobuilder.yoctoproject.org/valkyrie/?#/builders/81/builds/1323
  same unrelated buildpath warnings, no errors.

Regards,
>
>
>> Peter
>>
>>
>>
>> *From:* Yoann Congal <yoann.con...@smile.fr>
>> *Sent:* Wednesday, January 28, 2026 12:05
>> *To:* Marko, Peter (FT D EU SK BFS1) <peter.ma...@siemens.com>
>> *Cc:* openembedded-core@lists.openembedded.org
>> *Subject:* Re: [OE-core][scarthgap][RFC PATCH 0/1] openssl: upgrade 3.2.6
>> -> 3.5.4
>>
>>
>>
>> Le ven. 23 janv. 2026 à 18:02, Yoann Congal <yoann.con...@smile.fr> a
>> écrit :
>>
>> Le ven. 23 janv. 2026 à 13:33, Peter Marko via lists.openembedded.org
>> <peter.marko=siemens....@lists.openembedded.org> a écrit :
>>
>> Intention of this RFC is to run full autobuilder job matrix to see if
>> there are any failures not detected by my local testsuite.
>>
>>
>>
>> I created a poky branch with this patch :
>> https://git.yoctoproject.org/poky-contrib/log/?h=ycongal/scarthgap/openssl_3.5_upgrade
>>
>> (above my -nut branch to decrease the probability of an unrelated AB-INT
>> failure)
>>
>>
>>
>> I've started the build :
>> https://autobuilder.yoctoproject.org/valkyrie/?#/builders/29/builds/3118
>>
>>
>>
>> Hello,
>>
>>
>>
>> As discussed during the tech call of last tuesday, I've started builds:
>>
>> * a new a-full with rebased branch on the latest scarthgap (now, the
>> branch is only scarthgap+this upgrade)
>>
>>   *
>> https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/3133/
>> failed on a unrelated AB-INT issue (#15945) but is otherwise OK
>>
>> * a meta-oe build (which includes a world build for meta-oe, meta-python,
>> meta-networking & meta-filesystems):
>>
>>   *
>> https://autobuilder.yoctoproject.org/valkyrie/#/builders/81/builds/1277
>>
>>   * *Failed on python3-m2crypto* (log.do_compile =>
>> https://gist.github.com/ycongal-smile/4c6501ecd81c9f475b793234cceb7a74)
>>
>> * to compare, I've started the same build with a vanilla scarthgap branch
>> (without the openssl upgrade):
>>
>>   *
>> https://autobuilder.yoctoproject.org/valkyrie/#/builders/81/builds/1278
>> => success (albeit with warnings)
>>
>>
>>
>> Can you investigate this python3-m2crypto failure?
>>
>>
>>
>> Also, the "meta-oe" build does not cover every layer in meta-openembedded,
>> I think I will increase coverage to all the meta-openembedded layers for
>> the next run...
>>
>>
>>
>>
>>
>> Topic for discussion is especially what should be the final form of this
>> upgrade as some users may want to stay on openssl 3.2.x originally
>> shipped with Yocto 5.0 Scarthgap.
>> Current form was chosen to easily review recipe/patch differences.
>> Is it fine to overwrite or do we need to keep both version and make one
>> the default and other optional? Which would be tested on AB?
>>
>> Peter Marko (1):
>>   openssl: upgrade 3.2.6 -> 3.5.4
>>
>>  .../openssl/files/environment.d-openssl.sh    |  9 ++-
>>  ...ke-history-reporting-when-test-fails.patch | 19 +++--
>>  ...1-Configure-do-not-tweak-mips-cflags.patch |  4 +-
>>  ...sysroot-and-debug-prefix-map-from-co.patch | 26 ++++---
>>  .../0001-extend-check_cwm-test-timeout.patch  | 32 ++++++++
>>  .../openssl/openssl/CVE-2024-41996.patch      | 44 -----------
>>  .../{openssl_3.2.6.bb => openssl_3.5.4.bb}    | 76 +++++++++++++------
>>  7 files changed, 116 insertions(+), 94 deletions(-)
>>  create mode 100644
>> meta/recipes-connectivity/openssl/openssl/0001-extend-check_cwm-test-timeout.patch
>>  delete mode 100644
>> meta/recipes-connectivity/openssl/openssl/CVE-2024-41996.patch
>>  rename meta/recipes-connectivity/openssl/{openssl_3.2.6.bb =>
>> openssl_3.5.4.bb} (75%)
>>
>>
>> 
>>
>>
>>
>> --
>>
>> Yoann Congal
>>
>> Smile ECS
>>
>>
>>
>> --
>>
>> Yoann Congal
>>
>> Smile ECS
>>


-- 
Yoann Congal
Smile ECS


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#232064): 
https://lists.openembedded.org/g/openembedded-core/message/232064
Mute This Topic: https://lists.openembedded.org/mt/117416674/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-