Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

From: Thomas Munro <thomas(dot)munro(at)gmail(dot)com>
To: Daniel Gustafsson <daniel(at)yesql(dot)se>
Cc: Michael Paquier <michael(at)paquier(dot)xyz>, Postgres hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org>
Subject: Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?
Date: 2024-03-30 20:48:31
Message-ID: CA+hUKGKh7QrYzu=8yWEUJvXtMVm_CNWH1L_TLWCbZMwbi1XP2Q@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Thu, Sep 7, 2023 at 11:44 PM Daniel Gustafsson <daniel(at)yesql(dot)se> wrote:
> > On 7 Sep 2023, at 13:30, Thomas Munro <thomas(dot)munro(at)gmail(dot)com> wrote:
> > I don't like the idea that our *next* release's library version
> > horizon is controlled by Red Hat's "ELS" phase.
>
> Agreed. If we instead fence it by "only non-EOL version" then 1.1.1 is also on
> the chopping block for v17 as it goes EOL in 4 days from now with 1.1.1w (which
> contains a CVE, going out with a bang). Not sure what the best strategy is,
> but whichever we opt for I think the most important point is to document it
> clearly.

I was reminded of this thread by ambient security paranoia. As it
stands, we require 1.0.2 (but we very much hope that package
maintainers and others in control of builds don't decide to use it).
Should we skip 1.1.1 and move to requiring 3 for v17?

Upstream says:

"The latest stable version is the 3.2 series supported until 23rd
November 2025. Also available is the 3.1 series supported until 14th
March 2025, and the 3.0 series which is a Long Term Support (LTS)
version and is supported until 7th September 2026. All older versions
(including 1.1.1, 1.1.0, 1.0.2, 1.0.0 and 0.9.8) are now out of
support and should not be used."

I understand that some distros eg RHEL8 will continue to ship and
presumably patch 1.1.1 until some date later than upstream's EOL, for
stability and the benefit of people that really need it for a bit
longer, but that's in parallel with their package for 3, right? New
things should surely be able to require new things. I think we'd have
to reject the argument that we should support it just because they
ship it until the year 2030, or that upstream will support anything
for $50,000/year. I mean, they only do that because some old apps
need it, to which I say 40P01 DEADLOCK DETECTED.

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Robert Haas 2024-03-30 20:50:26 Re: Security lessons from liblzma
Previous Message Nathan Bossart 2024-03-30 20:03:29 Re: Popcount optimization using AVX512