Opened 8 years ago
Closed 5 years ago
#52101 closed update (fixed)
openssl @1.0.2h_1: update to 1.1.1c
Reported by: | larryv (Lawrence Velázquez) | Owned by: | larryv (Lawrence Velázquez) |
---|---|---|---|
Priority: | Normal | Milestone: | |
Component: | ports | Version: | |
Keywords: | Cc: | neverpanic (Clemens Lang), l2dy (Zero King), Schamschula (Marius Schamschula), 1st1 (Yury Selivanov), aque (Allan Que), yan12125 (Chih-Hsuan Yen), pmetzger (Perry E. Metzger), alexwhitewhale (Alexander Romanovich), smwardle, dmarteau (David Marteau), FranklinYu (Franklin Yu) | |
Port: | openssl |
Description
Change History (39)
comment:1 follow-up: 3 Changed 8 years ago by jmroot (Joshua Root)
comment:2 Changed 8 years ago by ryandesign (Ryan Carsten Schmidt)
Cc: | cal@… added; cal@… removed |
---|
comment:3 Changed 8 years ago by jmroot (Joshua Root)
Replying to jmroot:
PyPy will not build against OpenSSL 1.1 at this point, JFYI.
Fixed as of PyPy 5.6.
comment:4 Changed 8 years ago by l2dy (Zero King)
Cc: | l2dy added |
---|
comment:5 Changed 8 years ago by Schamschula (Marius Schamschula)
Cc: | Schamschula added |
---|
comment:7 Changed 7 years ago by neverpanic (Clemens Lang)
@larryv, any opinion on this? I think we should be good to update now. Software that hasn't been fixed to work with OpenSSL 1.1 by now is probably rare.
comment:9 Changed 7 years ago by 1st1 (Yury Selivanov)
Python 3.7 requires OpenSSL 1.1. It's not possible to build it with ssl support and OpenSSL 1.0.2.
comment:10 Changed 7 years ago by 1st1 (Yury Selivanov)
Nevermind, Python 3.7 compiles with OpenSSL 1.0.2n. Just use "./configure --with-openssl=/opt/local/"
comment:11 Changed 7 years ago by gaming-hacker (G Alexander)
i started hacking on the portfile but there are errors trying to copy one of the headers. if you add the rfc variant, it doesn't build
version 1.1.0g checksums sha1 e8240a8be304d4317a750753321b073c664bfdd4 \ sha256 de4d501267da39310905cb6dc8c6121f7a2cad45a7707f76df828fe1b85073af
comment:12 Changed 7 years ago by gaming-hacker (G Alexander)
has anyone experimented with sha3? encoding a video stream? using it over a tor socket?
comment:13 Changed 6 years ago by aque (Allan Que)
Cc: | aque added |
---|
comment:14 Changed 6 years ago by aque (Allan Que)
I got version 1.1.0h to build on my branch and tests passed under High Sierra. py35-m2crypto
(a port I maintain) also passed its tests. However, the following failed to rev-upgrade
on my system:
- cyrus-sasl2 - requires a backport from 2.1.27-rc7
- rtmpdump
- cargo / cargo-stage1
xar
also failed but I found and applied a patch. The others are beyond my ability. I did find a FreeBSD issues wikipage that helps.
comment:15 Changed 6 years ago by yan12125 (Chih-Hsuan Yen)
Cc: | yan12125 added |
---|
comment:17 Changed 6 years ago by mf2k (Frank Schima)
Summary: | openssl @1.0.2h_1: update to 1.1.0 → openssl @1.0.2h_1: update to 1.1.1 |
---|
comment:18 Changed 6 years ago by pmetzger (Perry E. Metzger)
Re: the 1.1.1 release:
We are on the previous LTS which only has support to the end of this calendar year, and it will take a while to upgrade, so it might make sense to begin the work now so that we can do it at a reasonable pace. 1.1.1 also is the first release with TLS 1.3 support, which we likely really really want.
comment:19 Changed 6 years ago by pmetzger (Perry E. Metzger)
Cc: | pmetzger added |
---|
comment:20 Changed 6 years ago by alexwhitewhale (Alexander Romanovich)
Cc: | alexwhitewhale added |
---|
comment:21 follow-up: 27 Changed 6 years ago by yan12125 (Chih-Hsuan Yen)
Some old software will never get OpenSSL 1.1 compatibility as they have been dropped upstream before OpenSSL 1.1.0 is released. Examples are Python 2.x < 2.7 and 3.x < 3.5 (1). If MacPorts switches to OpenSSL 1.1, what to do with those ports? IMO backporting is not an option for old Python versions as the patch is quite big.
In Arch Linux, OpenSSL 1.0 and 1.1 co-exist, and old packages are built against OpenSSL 1.0. An issue in such an approach is that OpenSSL 1.0 should be built with versioned symbols (2) so that there are no conflicts if a program (directly or indirectly) links to both OpenSSL 1.0 and 1.1. I'm not sure if it's a problem or not in macOS/Mach-O.
comment:22 follow-up: 23 Changed 6 years ago by pmetzger (Perry E. Metzger)
We are dropping support for python below 2.7 already, as well as for python 3 before 3.4. We can start dropping before 3.5 as well.
We could start statically linking other old packages against OpenSSL 1.0 to resolve internal dependencies perhaps? Not sure if it would work. Regardless. we can't support unsupported stuff forever. It's madness in the end.
comment:23 Changed 6 years ago by ryandesign (Ryan Carsten Schmidt)
Replying to pmetzger:
We could start statically linking other old packages against OpenSSL 1.0 to resolve internal dependencies perhaps?
Definitely not, for all the usual reasons why we don't static link.
comment:24 Changed 6 years ago by smwardle
Cc: | smwardle added |
---|
comment:25 Changed 6 years ago by dmarteau (David Marteau)
Cc: | dmarteau added |
---|
comment:26 Changed 6 years ago by FranklinYu (Franklin Yu)
Cc: | FranklinYu added |
---|
comment:27 follow-up: 34 Changed 6 years ago by FranklinYu (Franklin Yu)
Replying to yan12125:
Some old software will never get OpenSSL 1.1 compatibility as they have been dropped upstream before OpenSSL 1.1.0 is released. Examples are Python 2.x < 2.7 and 3.x < 3.5 (1). If MacPorts switches to OpenSSL 1.1, what to do with those ports? IMO backporting is not an option for old Python versions as the patch is quite big.
In Arch Linux, OpenSSL 1.0 and 1.1 co-exist, and old packages are built against OpenSSL 1.0. An issue in such an approach is that OpenSSL 1.0 should be built with versioned symbols (2) so that there are no conflicts if a program (directly or indirectly) links to both OpenSSL 1.0 and 1.1. I'm not sure if it's a problem or not in macOS/Mach-O.
Would it be feasible to release a Port revision for all the affected ports?
comment:28 Changed 6 years ago by l2dy (Zero King)
Summary: | openssl @1.0.2h_1: update to 1.1.1 → openssl @1.0.2h_1: update to 1.1.1b |
---|
comment:29 follow-up: 30 Changed 6 years ago by Schamschula (Marius Schamschula)
I ran into a port today that can't be updated until we have openssl 1.1.1: rsyncrypto 1.14
. The configure script failed Need openssl 1.1.0 or higher
.
comment:30 Changed 6 years ago by yan12125 (Chih-Hsuan Yen)
Replying to Schamschula:
I ran into a port today that can't be updated until we have openssl 1.1.1:
rsyncrypto 1.14
. The configure script failedNeed openssl 1.1.0 or higher
.
Then you may be interested in https://github.com/macports/macports-ports/pull/3783 ("openssl11: new port, version 1.1.1b").
My idea is creating a port for OpenSSL 1.1.1 and migrated away from OpenSSL 1.0.2 port-by-port. Specifically:
- Install openssl11 to replace the openssl port on your machine
- Make sure all ports that depend on openssl still work with openssl11. In this step
port rev-upgrade
is useful. - If a port builds with openssl but not openssl11, try to patch it
- When all ports in the tree are compatible with openssl11, the openssl port can be upgraded to 1.1.1 and then openssl11 can be deprecated (e.g., replaced_by openssl)
comment:31 Changed 6 years ago by yan12125 (Chih-Hsuan Yen)
comment:32 Changed 6 years ago by aque (Allan Que)
comment:33 Changed 6 years ago by neverpanic (Clemens Lang)
Unfortunately this plan will mean that users that have OpenSSL 1.1 installed will download binaries for software that will then immediately get rebuilt because rev-upgrade detects that it is not compatible with the installed version of OpenSSL. We should hence keep the transition period as short as possible and upgrade the main port to OpenSSL 1.1 soon, revbump the dependents and remove the openssl11 port again.
comment:34 Changed 6 years ago by yan12125 (Chih-Hsuan Yen)
Replying to FranklinYu:
Would it be feasible to release a Port revision for all the affected ports?
Here's now a possible solution: https://github.com/macports/macports-ports/pull/3831
comment:35 Changed 6 years ago by yan12125 (Chih-Hsuan Yen)
comment:36 Changed 5 years ago by yan12125 (Chih-Hsuan Yen)
comment:37 Changed 5 years ago by Chih-Hsuan Yen <yan12125@…>
comment:38 Changed 5 years ago by yan12125 (Chih-Hsuan Yen)
Summary: | openssl @1.0.2h_1: update to 1.1.1b → openssl @1.0.2h_1: update to 1.1.1c |
---|
comment:39 Changed 5 years ago by yan12125 (Chih-Hsuan Yen)
Resolution: | → fixed |
---|---|
Status: | new → closed |
PyPy will not build against OpenSSL 1.1 at this point, JFYI.