William, On 12/6/22 15:37, William Lallemand wrote:
As I already mentionned, I don't really like the "latest" keyword for the OpenSSL version as it prevent us to have reproducible builds. It updates versions without warning, even major ones.
I agree and also was not really happy with the 'latest' back when it was introduced in the first place, but didn't care strongly enough to speak up then.
What I suggest is to stop using "latest" for the "git push" CI, but using it only in a separate CI (once a day/week I don't know). And only use fixed version of the libraries on the CI so builds are not broken by external components. Because in my opinion the "git push" CI is to test our code, not the libraries.
I don't even think such a weekly job is necessary [1]. Add an item to the release checklist "check if any new SSL versions are available and add them to matrix.py" and this should be fine, all SSL versions will then be updated every 6 months and can also be updated on demand for important releases. It's similar to how I simply rerun the Coccinelle patches from time to time to fix whatever crept in since the last release.
Best regards Tim Düsterhus
