On Wed, May 24, 2023 at 11:03 PM Daniel Gustafsson <dan...@yesql.se> wrote: > > On 24 May 2023, at 11:52, Michael Paquier <mich...@paquier.xyz> wrote: > > On Wed, May 24, 2023 at 11:36:56AM +0200, Daniel Gustafsson wrote: > >> 1.0.2 is also an LTS version available commercially for premium support > >> customers of OpenSSL (1.1.1 will become an LTS version as well), with > >> 1.0.2zh > >> slated for release next week. This raises the likelyhood of Postgres > >> installations using 1.0.2 in production still, and for some time to come. > > > > Good point. Indeed, that makes it pretty clear that not dropping > > 1.0.2 would be the best option for the time being, so 0001 would be > > enough. > > I think thats the right move re 1.0.2 support. 1.0.2 is also the version in > RHEL7 which is in ELS until 2026.
I don't mind either way if we rip out OpenSSL 1.0.2 support now or later, other than a general feeling that cryptography must be about the worst possible category of software to keep supporting for years after it has been declared EOL. But.. I don't like the idea that our *next* release's library version horizon is controlled by Red Hat's "ELS" phase. The yum.postgresql.org team aren't packaging 17 for RHEL7 AFAICS, which is as it should be if you ask me, because the 10 year maintenance phase ends before 17 will ship. These hypothetical users that want to run an OS even older than that and don't know how to get modern crypto libraries on it but insist on a shiny new PostgreSQL release and build it from source because there are no packages available... don't exist?