hey all, as you know there're still some packages in the repo that use openssl 1.0.2. so far this had the unpleasant implication that all new packages had to be hardcoded to newer ssl versions one way or the other, because the buildsystem's ssl mediator had to remain at 1.0. obviously that wastes a lot of time and usually should be the other way around. i.e. only hardcoding the handful of packages which, for whatever reason, still need 1.0.2 and having the buildsystem's ssl mediator set to whatever is considered the default at the time. having a significantly smaller number of packages with a fixed ssl version also makes switching to a different ssl version at some point much nicer. the latter of course depending on how much has been modified of each package to achieve the fixed ssl dependency.
right now 91 packages are affected. see attachment for the list. not counting the ones which even need 0.9.8 :-O some of them should obviously be updated anyway. especially server things that are reachable from the outside like proftpd or nginx would be priority targets in any case. probably more tricky is the system stuff like wpa. some packages will likely be stuck with ssl 1.0.2 because they can't be updated for various reasons. the ones who remain[1] would be the candidates for actual patching to make them use a fixed (older) ssl version. in short, the fact that a single program, that has been retired 4 years ago, (still) has such an impact on the whole buildsystem is a condition that should likely be changed rather sooner than later. an alternative approach: the general goal is to keep the ssl dependency flexible. at least as far as each program's code is concerned. if doing that by mediator causes too many problems, using $(OPENSSL_INCDIR) and $(OPENSSL_LIBDIR) in the Makefile could be an alternative for those programs/packages where that's sufficient. having a peek at other repos shows that e.g. the solaris userland has sort of a compromise solution. they do set the ssl version explicitly. however, their package names only contain the major version like "openssl-3" and the same goes for the install paths like "/usr/openssl/3/". that's not as flexible as having $(OPENSSL_INCDIR) and $(OPENSSL_LIBDIR) only or having it sorted by the mediator but at least allows all 3.x versions without code changes. regardless of the mediator, selecting and updating the packages for which $(OPENSSL_INCDIR) and $(OPENSSL_LIBDIR) is enough can be done anyaway. [1] slightly modified loki reference -- R-A-C Götz T. Fischer CertIT&Comp +49(0)7225/98 98 79 g.fisc...@r-a-c.de r-a-c.de _______________________________________________ oi-dev mailing list oi-dev@openindiana.org https://openindiana.org/mailman/listinfo/oi-dev