[oi-dev] phasing out openssl 1.0.2 (mostly)

[Till Wegmüller]

Hello

On 24.02.24 19:23, Marcel Telka wrote:
> Sorry, this is not true. Proof:
> 
> $ pkg contents -mr library/python/cryptography-39 | grep ^depend.*openssl
> dependfmri=pkg:/library/security/openssl-31 at 3.1.5-2024.0.0.0  type=require
> $ grep -i ssl components/python/cryptography/Makefile
> REQUIRED_PACKAGES += library/security/openssl-31
> $
> 
> Please note that you said "all" so single counter example is enough to
> prove your statement is not true.

As mentioned on the list some old components landed in that list which 
we can ignore, that does however not proof that the Mechanism we use to 
configure componentes works for each and every component. One such 
component which Goetz and I can see on the list that is actually not per 
default building agianst openssl 3.1 in ist's non default location is 
nginx. It requires script specific settings to properly link to 
openssl3.1. As this is a Hobbyist driven non payed OpenSource project, 
reducing churn is a very sensible idea. These small script changes can 
take many compile cycles af trial and error and thus we loose 
contributors either to frustration or simply them giving up on trying to 
fix the component. We will not be able to catch the people falling 
through the net so we need to make it easy for contributors to help.

Long story short I agree with Goetz suggestion and that mediator change 
was planned once we had a suitably small list of packages we can merge 
in a time window where we can tell people not to update and thus kill 
their system. With the current CI we have to use non default locations 
so it's always a question of picking your poison when we do. Linux 
distros have updated their CI to be able to make these changes, but we 
still need such an infrastructure change. I have as project to add such 
a feature to the infrastructure but that will only start showing up 
during this year.

-Till