Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?
Peter Eisentraut <peter@eisentraut.org>
From: Peter Eisentraut <peter@eisentraut.org>
To: Thomas Munro <thomas.munro@gmail.com>, Tom Lane <tgl@sss.pgh.pa.us>
Cc: Daniel Gustafsson <daniel@yesql.se>, Michael Paquier
<michael@paquier.xyz>, Postgres hackers <pgsql-hackers@lists.postgresql.org>
Date: 2024-04-03T22:51:22Z
Lists: pgsql-hackers
On 30.03.24 22:27, Thomas Munro wrote: > On Sun, Mar 31, 2024 at 9:59 AM Tom Lane <tgl@sss.pgh.pa.us> wrote: >> Thomas Munro <thomas.munro@gmail.com> writes: >>> I was reminded of this thread by ambient security paranoia. As it >>> stands, we require 1.0.2 (but we very much hope that package >>> maintainers and others in control of builds don't decide to use it). >>> Should we skip 1.1.1 and move to requiring 3 for v17? >> >> I'd be kind of sad if I couldn't test SSL stuff anymore on my >> primary workstation, which has >> >> $ rpm -q openssl >> openssl-1.1.1k-12.el8_9.x86_64 >> >> I think it's probably true that <=1.0.2 is not in any distro that >> we still need to pay attention to, but I reject the contention >> that RHEL8 is not in that set. > > Hmm, OK so it doesn't have 3 available in parallel from base repos. > But it's also about to reach end of "full support" in 2 months[1], so > if we applied the policies we discussed in the LLVM-vacuuming thread > (to wit: build farm - EOL'd OSes), then... One question I'm unclear > on is whether v17 will be packaged for RHEL8. The rest of the thread talks about the end of support of RHEL 7, but you are here talking about RHEL 8. It is true that "full support" for RHEL 8 ended in May 2024, but that is the not the one we are tracking. We are tracking the 10-year one, which I suppose is now called "maintenance support". So if the above package list is correct, then we ought to keep supporting openssl 1.1.* until 2029.
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Remove obsolete unconstify()
- 1fb2308e698e 18.0 landed
-
Only perform pg_strong_random init when required
- c3333dbc0c0f 18.0 landed
-
Remove support for OpenSSL older than 1.1.0
- a70e01d4306f 18.0 landed
-
Support SSL_R_VERSION_TOO_LOW when using LibreSSL
- d80f2ce29465 17.0 landed
-
Support disallowing SSL renegotiation when using LibreSSL
- 44e27f0a6d07 17.0 landed
-
Doc: Use past tense for things which happened in the past
- 91d6429fad55 17.0 landed
-
Remove support for OpenSSL 1.0.1
- 8e278b657664 17.0 landed
-
Remove support for OpenSSL 0.9.8 and 1.0.0
- 7b283d0e1d1d 13.0 cited