Date: Mon, 24 Apr 2023 16:49:43 +0200 From: Dimitry Andric <dim@FreeBSD.org> To: Warner Losh <imp@bsdimp.com> Cc: Charlie Li <vishwin@freebsd.org>, Ed Maste <emaste@freebsd.org>, Joerg Pulz <Joerg.Pulz@frm2.tum.de>, freebsd-arch <freebsd-arch@freebsd.org> Subject: Re: OpenSSL in the FreeBSD base system / FreeBSD 14 Message-ID: <BC5F58E1-7B14-414F-A592-F6A75634D8DC@FreeBSD.org> In-Reply-To: <CANCZdfrr_H6AnLdw6wVhXMbwat9kT0JT1B4u0rjOP_Hfp2AX_Q@mail.gmail.com> References: <CAPyFy2Afao5tnujFtwiF6avdkqAXRGDOTSq-JSCkHvvbfUvhaA@mail.gmail.com> <nycvar.OFS.7.77.840.2304201411080.78141@unqrf.nqzva.sez2.ghz.qr> <CAPyFy2DQsNLXmELTun6n590opjcAom-3MQE_jKda7AU4LdcGGg@mail.gmail.com> <8e00be00-e327-64d2-0018-7525a1ba6f2e@freebsd.org> <CANCZdfrr_H6AnLdw6wVhXMbwat9kT0JT1B4u0rjOP_Hfp2AX_Q@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail=_28A2C80C-3CFA-46F5-9F0C-28D749B9F214 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii On 24 Apr 2023, at 16:39, Warner Losh <imp@bsdimp.com> wrote: > > On Mon, Apr 24, 2023, 8:33 AM Charlie Li <vishwin@freebsd.org> wrote: > Ed Maste wrote: > > The problem is that we have conflicting constraints: OpenSSL 1.1.1 is > > EOL shortly after 14.0 releases, and there are ports that do not yet > > build against OpenSSL 3. I am not sure how much will be broken if we > > update the base system to OpenSSL 3 but leave the privatelib aside > > (i.e., have the base system provide OpenSSL 3 to ports). > > > OpenSSL 3 is a major, even larger than 1.1, API/ABI change. Quite a bit > of stuff will be broken today. The effort here has to include working > with as many port upstreams as possible to force the issue, as they may > not hold OpenSSL 3 compatibility to be an immediate priority; patching > ports on a large scale like this is not sustainable. > > So why can't ports like this use 1.1 as a port rather than from base? Trouble starts when you attempt to mix openssl 1.1 and 3.0 libraries (both dynamic and static!) in dependent ports, because symbol names will collide. This is not an easily solvable problem, apart from the fact that an openssl 1.1 port would have the same basic issue that openssl 1.1 in the base system has: it will no longer be supported (at least without paying up) after $CUTOFF_DATE. The rest of the open source world has exactly the same problem of course, so either all abandoned openssl-1.x using programs have to be completely ditched, or you have to keep openssl-1.x on life support somehow. Guess what will happen. :) I think it is likely that this will be a repeat of the Python 2.x debacle, e.g. against better judgement everybody will just keep on using the deprecated version for years, and it may never fade out completely... -Dimitry --Apple-Mail=_28A2C80C-3CFA-46F5-9F0C-28D749B9F214 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.2 iF0EARECAB0WIQR6tGLSzjX8bUI5T82wXqMKLiCWowUCZEaXBwAKCRCwXqMKLiCW oxQ1AJ9U6zTPM4/wbvC6PB/5BioVtXLEhwCeIIy/oQbAp+QxMSkN/D2JXxKBfLs= =5xzF -----END PGP SIGNATURE----- --Apple-Mail=_28A2C80C-3CFA-46F5-9F0C-28D749B9F214--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BC5F58E1-7B14-414F-A592-F6A75634D8DC>