On Thu, Nov 21, 2019 at 01:05:55AM +0200, Adrian Bunk wrote: > On Wed, Nov 20, 2019 at 09:39:51PM +0000, mikko.rap...@bmw.de wrote: > >... > > I could submit these too if someone wants to setup a communit maintenance > > branch for sumo. > > I would not consider this appropriate for a stable branch. With such > invasive changes it would no longer be reasonably safe for users to > follow the branch to receive security updates for other recipes. > > In Ubuntu 18.04 security support for OpenSSL 1.0.2 is provided until at > least April 2023. Similar schedules exist for other LTS distributions. > This provides sources for piggy-backing security support for a few years > after upstream support ends.
Yes, I agree to this. The reasons for the large intrusive backport are: * openssl version 1.1.0 in sumo is no longer supported by upstream developers, see https://www.openssl.org/policies/releasestrat.html "Version 1.1.0 will be supported until 2019-09-11." but 1.1.1 is an LTS with support unit 2023-09-11 * many recipes like openssh in sumo do not support openssl 1.1.x and an update is needed to cover the API breakage. The backported pathes fixes most of the issues in poky and meta-openembedded and I've been able to use the set in multiple projects with different BSP stacks. So in sumo, openssl 1.0.2 could still be maintainable with Ubuntu etc help even when upstream openssl.org support has now ended. Same could apply to openssl 1.1.0 there, but if one suffers and fixes the API changes, then it is maybe better for users to jump directly to the next openssl 1.1.1x LTS version. The patches I mentioned achieve this, but I agree they are intrucive and not following stable policies. In my case, openssl 1.1.x transition is one of the major blockers for doing more yocto updates and running closer to master. The backport has helped there and a following jump to zeus was really straight forward (ignoring lots of issues in BSP layers but that's life). Then a note on openssl 1.1.x impact to various BSP layers, some scripting and bbclasses related to signing etc may need to be updated but also those changes are simple. I wish there was more open source community approach so share changes like these among users of various BSPs. Cheers, -Mikko -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core