Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?
Daniel Gustafsson <daniel@yesql.se>
From: Daniel Gustafsson <daniel@yesql.se>
To: Michael Paquier <michael@paquier.xyz>
Cc: Peter Eisentraut <peter@eisentraut.org>,
Jacob Champion <jacob.champion@enterprisedb.com>,
Thomas Munro <thomas.munro@gmail.com>,
Postgres hackers <pgsql-hackers@lists.postgresql.org>,
mikael.kjellstrom@gmail.com,
Tom Lane <tgl@sss.pgh.pa.us>
Date: 2024-04-15T09:07:05Z
Lists: pgsql-hackers
Attachments
- v8-0005-Remove-pg_strong_random-initialization.patch (application/octet-stream) patch v8-0005
- v8-0004-Support-SSL_R_VERSION_TOO_LOW-on-LibreSSL.patch (application/octet-stream) patch v8-0004
- v8-0003-Support-disallowing-SSL-renegotiation-in-LibreSSL.patch (application/octet-stream) patch v8-0003
- v8-0002-Remove-support-for-OpenSSL-1.0.2.patch (application/octet-stream) patch v8-0002
- v8-0001-Doc-Use-past-tense-for-things-which-happened-in-t.patch (application/octet-stream) patch v8-0001
> On 15 Apr 2024, at 07:04, Michael Paquier <michael@paquier.xyz> wrote: > On Fri, Apr 12, 2024 at 02:42:57PM +0200, Daniel Gustafsson wrote: >> Is the attached split in line with how you were thinking about it? > > If I may, 0001 looks sensible here. The bits from 0003 and 0004 could > be applied before 0002, as well. Agreed, once we are in post-freeze I think those three are mostly ready to go. > - /* do post-fork initialization for random number generation */ > - pg_strong_random_init(); > > Perhaps you intented this diff to be in 0005 rather than in 0002? > With 0002 applied, only support for 1.0.2 is removed, not 1.1.0 yet. Yes, nice catch, that was a mistake in splitting up the patch into multiple pieces, it should be in the 0005 patch for strong random. Fixed. > s/requred/required/. Fixed. > Rather than calling always RAND_poll(), this > could use a static flag to call it only once when pg_strong_random is > called for the first time. Agreed, we can good that. Fixed. > I would not mind seeing this part entirely > gone with the removal of support for 1.1.0. If we want to keep autoconf from checking versions and just check compatibility (with our code) then we will remain at 1.1.0 compatibility. The only 1.1.1 API we use is not present in LibreSSL so we can't really place a hard restriction on that. It might be that keeping it for now, and removing it later during the v18 cycle as we modernize our OpenSSL code (which I hope to find time to work on) and make use of newer 1.1.1 API:s. That way we can keep our autoconf/meson checks consistent across library checks. If we end up with no new API:s to check for by the time the last commitfest of v18 rolls around, we can revisit the decision then. -- Daniel Gustafsson
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Remove obsolete unconstify()
- 1fb2308e698e 18.0 landed
-
Only perform pg_strong_random init when required
- c3333dbc0c0f 18.0 landed
-
Remove support for OpenSSL older than 1.1.0
- a70e01d4306f 18.0 landed
-
Support SSL_R_VERSION_TOO_LOW when using LibreSSL
- d80f2ce29465 17.0 landed
-
Support disallowing SSL renegotiation when using LibreSSL
- 44e27f0a6d07 17.0 landed
-
Doc: Use past tense for things which happened in the past
- 91d6429fad55 17.0 landed
-
Remove support for OpenSSL 1.0.1
- 8e278b657664 17.0 landed
-
Remove support for OpenSSL 0.9.8 and 1.0.0
- 7b283d0e1d1d 13.0 cited