On 18/06/20 12:07 pm, Viktor Dukhovni wrote:
On Jun 17, 2020, at 9:34 PM, Peter <pe...@pajamian.dhs.org> wrote:
I'd like to avoid this if possible. CentOS 7 has openssl 1.0.2k and doesn't go
EOL until 2024. I'd like to be able to support new Postfix releases for it for
at least another two or three years.
Postfix 3.5 will be supported until 3.9 comes out. The only
major changes I'd expect in 3.6, 3.7 and 3.8 that you might
want on some older platforms would in fact be support for
newer versions of OpenSSL and the like, but then you don't
need OpenSSL 1.0.2 (no longer supported upstream).
That's fair enough. In that case I can just keep my CentOS 7 packages
on 3.5 until EOL and it shouldn't be an issue (this is similar to what I
am doing for CentOS 6 on 3.3). In the worst-case scenario if there ends
up being a newer must-have feature that I get a significant number of
requests for I can package a newer parallel installible openssl for it.
Continuing to support OpenSSL 1.0.2 holds back progress and has
a non-trivial complexity cost. It is time to move on. OpenSSL
3.0 will ship soon, and it gets increasingly difficult to cover
the full spectrum of features from 1.0.2 through 3.0.0
That's fine, I just wanted to voice that there are still platforms with
older openssl in case that affects your decision. What you've said
above is quite reasonable, though.
That said, CentOS 8 is on openssl 1.1.1c so I'm hoping that will
continue to be supported for the foreseeable future.
Peter
