In article <rmio88a8c7t....@s1.lexort.com>, Greg Troxel <g...@lexort.com> wrote: >-=-=-=-=-=- > > >This is a software engineering question, not a security question and >hence here. > >openssl 3.0.0 is out, and it has a lot of compat issues. >I hear that openssl 1.1.1 only has two years of maintenance left. > >history: 8 was released in July 2018 and 9 in february 2020. At that >pace, 10 will be released in September 2021, but there are only 12 hours >left :-) > >I observe that 10, if released in April 2022 (just making that up), can >be expected to need support until mid 2026. And 9 will need support until >2024. > >Hence, I'm going to ignore 8, as it will be out of support long before >1.1.1 is desupported upstream (but don't quote on that in fall of 2023). > > >What are people thinking about > > updating openssl to 3.0.0 in current > > if so, the effects on building pkgsrc and how to sequence that > > pulling up openssl 3 to 9? > > >I am guessing: > > pkgsrc needs to be able to cope with 3.0.0 first > > openssl 3.0.0 should go in current, for 10 > > 9 and esp 8 will not get pullups. It's an ABI break and not allowed. > > >(Asking with pkgsrc-pmc hat on as we have similar questions in pkgsrc >and all of this is a bit tangled.)
My thoughts are: - It is too late to put OpenSSL-3.0.0 un current, to become part of NetBSD-10. - After the NetBSD-10 branch, I will move OpenSSL-1.1.1 to openssl.old and import OpenSSL-3.0.0 in openssl. Every port will point to openssl.old. - I will provide OpenSSL-3.0.0 source compatibility to OpenSSL-1.1.1 if needed (like I did for OpenSSL-1.1.x and OpenSSL-1.0.x) by adding the missing functionality if needed (and if possible) - I will make HEAD work with both OpenSSL-3.0.0 and OpenSSL-1.1.1. - I will switch all ports to use OpenSSL-3.0.0 - Unfortunately pkgsrc will suffer the same way it did in the previous upgrade. christos
