[oi-dev] phasing out openssl 1.0.2 (mostly)

Goetz T. Fischer g.fischer at r-a-c.de
Sat Feb 24 17:27:30 UTC 2024 

hey all,

as you know there're still some packages in the repo that use openssl 1.0.2. so 
far this had the unpleasant implication that all new packages had to be 
hardcoded to newer ssl versions one way or the other, because the buildsystem's 
ssl mediator had to remain at 1.0.
obviously that wastes a lot of time and usually should be the other way around. 
i.e. only hardcoding the handful of packages which, for whatever reason, still 
need 1.0.2 and having the buildsystem's ssl mediator set to whatever is 
considered the default at the time. having a significantly smaller number of 
packages with a fixed ssl version also makes switching to a different ssl 
version at some point much nicer. the latter of course depending on how much 
has been modified of each package to achieve the fixed ssl dependency.

right now 91 packages are affected. see attachment for the list. not counting 
the ones which even need 0.9.8 :-O

some of them should obviously be updated anyway. especially server things that 
are reachable from the outside like proftpd or nginx would be priority targets 
in any case. probably more tricky is the system stuff like wpa.
some packages will likely be stuck with ssl 1.0.2 because they can't be updated 
for various reasons. the ones who remain[1] would be the candidates for actual 
patching to make them use a fixed (older) ssl version.

in short, the fact that a single program, that has been retired 4 years ago, 
(still) has such an impact on the whole buildsystem is a condition that should 
likely be changed rather sooner than later.


an alternative approach:

the general goal is to keep the ssl dependency flexible. at least as far as 
each program's code is concerned. if doing that by mediator causes too many 
problems, using $(OPENSSL_INCDIR) and $(OPENSSL_LIBDIR) in the Makefile could 
be an alternative for those programs/packages where that's sufficient.
having a peek at other repos shows that e.g. the solaris userland has sort of a 
compromise solution. they do set the ssl version explicitly. however, their 
package names only contain the major version like "openssl-3" and the same goes 
for the install paths like "/usr/openssl/3/". that's not as flexible as having 
$(OPENSSL_INCDIR) and $(OPENSSL_LIBDIR) only or having it sorted by the 
mediator but at least allows all 3.x versions without code changes.

regardless of the mediator, selecting and updating the packages for which 
$(OPENSSL_INCDIR) and $(OPENSSL_LIBDIR) is enough can be done anyaway.

[1] slightly modified loki reference


--
R-A-C
Götz T. Fischer CertIT&Comp
+49(0)7225/98 98 79
g.fischer at r-a-c.de
r-a-c.de

More information about the oi-dev mailing list