On 7/5/23 10:44, Ben Ramsey wrote:
On Jun 13, 2023, at 15:06, Jan Ehrhardt <php...@ehrhardt.nl> wrote:Hi Christoph, "Christoph M. Becker" in php.internals (Wed, 18 Jan 2023 13:20:41 +0100):While the official builds for PHP 8.2 already use OpenSSL 3.0, the PHP 8.1 builds are still using OpenSSL 1.1.1. However, OpenSSL 1.1.1 is only supported till 2023-09-11[1], while PHP 8.1 is supported till 2024-11-25[2]. Although I don't like bumping the OpenSSL version in the middle of PHP 8.1's lifetime, I suppose it is necessary to avoid falling behind security support. And if we do that bump, we better do it sooner than later. So, if there are no unforeseen problems, I suggest to build PHP 8.1.16RC1 with OpenSSL 3.0 (PHP 8.1.15RC1 has already been built with OpenSSL 1.1.1). Thoughts? Objections? [1] <https://www.openssl.org/policies/releasestrat.html> [2] <https://www.php.net/supported-versions.php>I noticed that PHP 8.1.20 at https://windows.php.net/download/ was built with OpenSSL 1.1.1t and PHP 8.2.7 & 8.3.0 Alpha 1 with OpenSSL 3.0.8. What will be the official policy for 8.1, 8.2 and 8.3? All 3 versions with OpenSSL 3.0.x or 8.1 still with OpenSSL 1.1.1? And none of the three versions with OpenSSL 3.1.x? Please clarify.What’s the process for changing this? Do release managers need to change the way we bundle the packages, or does something need to be merged into the PHP-8.1 branch?
I've still not heard anything back regarding this.Is there anything the release managers need to do, or is this an issue specifically for the Windows builds?
If it's for the Windows builds only, how can we help facilitate this change? Cheers, Ben
OpenPGP_signature
Description: OpenPGP digital signature
