On Thu, 7 Dec 2023 at 12:33, Giuseppe D'Angelo <giuseppe.dang...@kdab.com> wrote: > * For how long is QNX going to support OpenSSL 1? Is OpenSSL 3 support > on the radar?
Yes, it's on the radar for QNX 8, which is not released yet. > Is there an online resource showing their commitment at > maintaining it? Is there the possibility of just building+shipping > OpenSSL 3 outside of what it's provided by the base OS? Well, like it is on Linux distros, building and shipping it as a replacement is not easy, and building and shipping it alongside is not easy either. > * For how long are *we* going to support QNX and OpenSSL 1 on there? Until QNX 8 ships. > * What about other platforms? Maybe we should keep OpenSSL1 support in 6.5 throughout the lifetime of that LTS. > * Can we put this "contract" in the docs? Sure seems like it would be a good idea to revisit this for the next LTS in any case. Make that the point where we drop OpenSSL1 regardless of whether Blackberry has managed to ship QNX 8. That's different from doing it in a patch release, or backporting the drop to everywhere. We can plausibly say at that point that we'll just drop it. > > I don't quite follow why the revert "must" include making OpenSSL1 > > entirely an opt-in. > > That doesn't change anything in how we build our release packages, at > > the end of the day. > > Innocent users should just build with an OpenSSL3-enabled system. > > Innocent users may have their own build scripts that pull OpenSSL 1 and > build Qt against that, without realizing that they're playing with fire. > We should never expose users to insecure defaults, hence the opt-in > flag, and a build error if you ask for autodetection and only OpenSSL 1 > is found. Well, okay then. Patch it first so that the opt-in supersedes autodetection but the autodetection is still there, then patch coin so that everything in it that needs this uses the opt-in, then drop the autodetection. -- Development mailing list Development@qt-project.org https://lists.qt-project.org/listinfo/development
