On 12/04/17 03:06, Matthias Andree wrote: > Am 11.04.2017 um 23:56 schrieb David Sommerseth: >> On 11/04/17 23:20, Steffan Karger wrote: >>> For release/2.4: I wonder whether we need to keep 0.9.8 support, as >>> SLES11 still ships with 0.9.8h, and has general support until 31 Mar 2019. >> While it is James who insisted on RHEL being the oldest supported distro >> many years ago, I have no issues with keeping SLES *or* RHEL as the >> oldest supported distro, in regards to package dependencies. >> >> Do we know if we have a large group of SLES 11 users? Initially I >> thought it was related to OpenVPN-NL ... until I recalled that >> OPenVPN-NL should be built against mbed TLS :) > > How many of the enterprise users will want to update and then can't be > bothered to install a newer OpenSSL into /opt? > Older OpenSSL versions are EOL, I don't think the community edition > should waste any energy on support such stuff. I'd even discontinue > 1.0.1 support on master for the same reason because 1.0.1 is also past > the end of its life.
On Enterprise Linux (at least RHEL and SLES), OpenSSL 1.0.1 *is* supported by the distro. I can't speak for SUSE, but I know for a fact that Red Hat have people ensuring important OpenSSL issues are backported and fixed during the life time of RHEL. So on RHEL 5, OpenSSL 0.9.8 was even fully supported and updated all up until March 31, 2017. But it isn't supported by the OpenSSL community. And the packaging side of side-loading libraries into /opt will also be a complete mess. *EL distributions are updated continuously for at least 7-10 years. Those basing their environment on these distributions will not be bothered manually maintaining an /opt based OpenSSL version; what will happen is that they make it run once and forgets to update it until OpenVPN installs breaks again. And if the OpenVPN package maintainer need to maintain an /opt based OpenSSL package on-top of that and to ensure /usr/sbin/openvpn picks the right OpenSSL version .... nah, that's not going to fly well. So as long as the *EL distributions keep their OpenSSL packages updated and backports fixes ... I see no reason why we shouldn't leverage on their work. At least for RHEL, every RPM update goes through several QE steps, where regression testing happens for a lot of known issues in addition to package install/upgrade/downgrade/uninstall tests. So the long-term package stability should be reasonably high. -- kind regards, David Sommerseth OpenVPN Technologies, Inc
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
