Update OpenSSL to 1.1.1c #3822
Update OpenSSL to 1.1.1c #3822
Conversation
macportsbot
assigned larryv, ci42, kencu, danielluke, markemer, kimuraw, cjones051073, scantor, NicosPavlov and ghosthound
|
Notifying maintainers: |
macportsbot
added
by: member
|
revbumps for my ports are all OK |
|
As I don't yet have openssl 1.1.1 installed, I haven't tested all my ports. However, all ports other than certbot, have upstream documentation that current released are compatible with openssl 1.1.x. certbot (and certbot-apache & certbot-nginx) don't directly use openssl. However, it is brought in via Python and py-openssl (which lists openssl 1.1.0 as supported). |
|
openssh will need to be updated to version 7.9p1, as prior versions don't support openssl 1.1.x. |
|
xml-security-c is compatible with 1.1.1 |
l2dy
requested review from
neverpanic,
jmroot,
raimue,
lbschenkel,
bgilbert and
ecronin
|
Pretty sure alpine uses that openssl on other platforms so as long as it builds, +1 from me. |
|
+1 for ntpsec and libaes_siv. I verified that the current MacPorts source for those ports tests and builds with the new OpenSSL, albeit directly rather than via MacPorts. To do that, I temporarily installed the new OpenSSL port and rebuilt the curl and python27 ports to unbreak them (ignoring a zillion other temporarily broken ports). |
|
Looks like all my ports build correctly. However, revision bumps on certbot and certbot-nginx are unneeded, while a revision bump for py-cryptography will be needed for certbot et al. to work. |
|
So far I have found: broken missing from PR but building: nomaintainer in PR and building: |
|
Archlinux recently dropped QT4 without applying patches for OpenSSL 1.1.x
ArchLinux stopped porting QT4 to OpenSSL 1.1.x
Wrong statements. Arch Linux patched Qt4 for OpenSSL 1.1 compatiblity
in 2017 [1], and the drop occurred in 2019 [2]. Qt4 + OpenSSL 1.1 had
been worked fine on Arch Linux for almost 2 years.
@yan12125 Could I ask you to rebase/merge your branch again?
Will do after the fix for qt4-mac
(#5179) is merged.
[1] https://git.archlinux.org/svntogit/packages.git/commit/?id=d22be862cbcc117a02bd71369ae362d9e1a420e4
[2] https://git.archlinux.org/svntogit/packages.git/commit/?id=979cd87bda942d70c604a01dc90153f7369a1b38
|
|
Wrong statements. Arch Linux patched Qt4 for OpenSSL 1.1 compatiblity
in 2017 [1], and the drop occurred in 2019 [2]. Qt4 + OpenSSL 1.1 had
been worked fine on Arch Linux for almost 2 years.
And they probably shouldn't have dropped Qt4 altogether (if that's what they did). There will always remain software not ported to Qt5 (a good deal of which will continue to work just fine without notable security implications), and users who need that software for reasons they alone can judge/justify.
Removing the Qt4 package means those users will have to figure out how to do the build themselves, or run whatever binary packages they can still find, and there's a good chance those will not have all the latest patches.
|
If we keep old PPC stuff functional at the expense of the bulk of the Mac user community (most of whom are on the latest operating system), we probably make a lot of people unhappy to make a small number of people happy. I think it's okay to keep the old stuff running to the extent that it doesn't interfere with users of current operating systems. |
|
let's please not have more older systems debate here in this PR, os it is not the right forum. Feel free to start a thread on the mailing list if you care to. |
|
@yan12125 thanks, for the information, I don't use it, so I didn't know it. |
|
qt4-mac done in facea54 . |
|
This pull request is now ready for merge. Any last-minute comments? |
|
I think it's better to merge this way and then proceed with updating packages when it's required. |
|
Oops I forgot about squid2 and squid3. Anyway, as those versions are no longer supported by upstream and there is only 1 user per statistics on ports.macports.org [1][2], I don't consider it a blocker. [1] https://ports.macports.org/port/squid2/stats?days=30&days_ago=0 |
|
as we saw with some ports above, even 180 days with no downloads was blocked to drop the support. |
|
It's fine, go ahead and merge and I'll fix the old squids shortly. |
Technically there is currently no way of determining that there were no downloads. We would have to parse the CDN logs, which isn't a bad idea to supplement the opt-in stats, it's just nobody has done it yet. (And even if there were no downloads, it doesn't necessarily follow that nobody is using the port.) Anyway, the point is, don't over-extrapolate from the opt-in statistics, which only represent a sample of around 100 installations (compared to 300k downloads for some of our releases, not counting those who just selfupdated or downloaded from somewhere other than GitHub). There's a considerable "long tail" of less popular ports. |
I'm fine with that and with the overall result. |
| @@ -40,6 +40,7 @@ if {${subport} eq ${name}} { | |||
| subport ${name}-devel { | |||
There was a problem hiding this comment.
Chances are the non-devel subport will also need a revbump for this port.
|
@neverpanic Thank you very much! I added fixes for |
|
and one more conflicting port |
Closes: https://trac.macports.org/ticket/52101 Ref: https://trac.macports.org/ticket/58218 (old Qt5 versions) Ref: https://trac.macports.org/ticket/58607 (old MySQL versions) Ref: https://trac.macports.org/ticket/58630 (old PostgreSQL versions)
Generated with the following command: rg -l -g Portfile ':openssl\b' ../macports-ports | grep -v '/lang/php/' | grep -v '/aqua/qt5' | xargs ./revbump-ports.sh revbump-ports.sh is from https://github.com/yan12125/revbump-ports/tree/4a47ad53d5bc1553b86f48dfbf946bc9a466306c Skipping lang/php and aqua/qt5 as only php*-{ftp,openssl} and qt*-qtbase subports need revbumping, respectively.
1. False-positive version patterns
$ git diff HEAD^ | nvim -R -
and search in nvim using:
^\s*version\s\+\S\+\s
2. False-positive (commented) openssl dependency declaration
Search using:
$ rg ':openssl\b' | rg '#' | sed 's#:.*##'
Note that squid4 still depends on openssl.
3. Non-numeric revision strings
Search using:
rg 'revision\s+\$\{.+\}' $(rg -l -g Portfile ':openssl\b' | grep -v 'lang/php/' | grep -v 'aqua/qt5')
Only mythtv* is affected. mysql-like ports are already handled by
https://github.com/yan12125/revbump-ports/blob/master/increase-revision-mysql.sed
… not all Thanks neverpanic for identifying such issues! Approach: 1. git diff HEAD~4..HEAD~3 > diffs 2. Search pattern +\s\+revision from `diffs` with neovim and check relevant ports manually.
|
I think there are already enough reviews and I cannot imagine any further issue other than build failures for a few uncommon ports, so let's get it done! Thanks everyone for testing, reviewing and sharing awesome ideas! |
Description
This is a WIP. The migration plan can be found at https://trac.macports.org/ticket/52101#comment:30.
Type(s)
Tested on
Not tested
Verification
Have you
port lint?sudo port test?sudo port -vst install?TODOs:
install-headers-HFS+.patchis no longer needed after OpenSSL 0.9.8k [1]; also the problematic files crypto/{bf,des}/INSTALL are removed in OpenSSL 1.1 branch [2][3].parallel-building.patch:use_parallel_build nois back in [4], so this patch is not useful anyway. In the new build system introduced in OpenSSL 1.1, dependencies info is recorded in various build.info files. Hopefully parallel building will work fine. Enabling parallel building can be postponed to the future (i.e., after this pull request is merged).remove-duplicate-bn_print-doc.patch: one of conflicting filesdoc/crypto/bn_internal.podis moved out of doc/ since OpenSSL 1.1 [5], and only files under doc/ are processed [6].[1] openssl/openssl@7d368fc
[2] openssl/openssl@b8a9af6#diff-1bd050ccaca35f3bb9c7971131671ed1
[3] openssl/openssl@24956ca#diff-3f5df9c20c5f557ccd10ae5a5de91519
[4] https://trac.macports.org/ticket/46719
[5] openssl/openssl@5393482#diff-7cd9a43108bb52726514b6da2243e1d8
[6] https://github.com/openssl/openssl/blob/OpenSSL_1_1_1c/util/process_docs.pl#L49
revision ${foobar}(ex: mysql*, mariadb*)Check popular software