Re: [OE-core] openssl: OpenSSL 1.1.x update

2016-12-13 Thread Alexander Kanavin 

On 10/06/2016 06:39 PM, Mark Hatle wrote:

The OpenSSL community itself is looking at 1.1.0 as a transition to newer and
better design/api/etc... which is why it is not marked as a LTS release.


api changes can be a bothersome point from integration POV, do we know if there
are some forwarded porting incompatibilities in APIs already?


I have not investigated it, as my focus has been on the LTS version at this 
point.


I've quickly put together a openssl 1.1 recipe to test what builds and 
what fails in oe-core, and this is the list of failures (any 
dependencies of these aren't even attempted of course, i.e. webkit):


rpm
apr-util
ruby
openssh
bind
socat
mailx (I believe debian provides a rewrite of this one which we need to 
package)

cryptodev-tests
u-boot-mkimage

Openssl does not seem to be designed for parallel installation of 
several major versions at the same time (headers and pkg-config files 
clash), so (unless someone has a better idea), we need to either wait 
until the above listed upstreams fix their code, or do custom patching.


Mark, when can we expect rpm updates from Wind River? It's been a while 
(actually, 10 months) since anything substantial arrived. I'd like to 
have both a working CVS recipe (for dnf oe-core integration work), and 
an update to the stable release with openssl 1.1 support in it - so that 
oe-core can provide openssl 1.1. I simply do not have the bandwidth or 
the expertise to do this work myself - far too many patches to rebase, 
and a code base that I don't even begin to understand.


Alex
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] openssl: OpenSSL 1.1.x update

2016-10-13 Thread Hatle, Mark 
While this is not a fully authoritative answer, 
I believe what your wrote will be correct.  Latest 1.0.2 in 2.2.  Master (in 
future) will have both 1.0.2 and 1.1.0.


> On Oct 13, 2016, at 12:36, Tan, Raymond <raymond@intel.com> wrote:
> 
> Warm Regards, 
> 
>  Raymond Tan
> 
>> -Original Message-
>> From: Mark Hatle [mailto:mark.ha...@windriver.com]
>> Sent: Thursday, October 06, 2016 11:40 PM
>> To: Khem Raj <raj.k...@gmail.com>
>> Cc: Tan, Raymond <raymond@intel.com>; openembedded-
>> c...@lists.openembedded.org; Gupta, Rahul KumarXX
>> <rahul.kumarxx.gu...@intel.com>
>> Subject: Re: [OE-core] openssl: OpenSSL 1.1.x update
>> 
>>> On 10/6/16 10:22 AM, Khem Raj wrote:
>>> 
>>>> On Oct 6, 2016, at 7:21 AM, Mark Hatle <mark.ha...@windriver.com>
>> wrote:
>>>> 
>>>>> On 10/5/16 9:59 PM, Khem Raj wrote:
>>>>> On Wed, Oct 5, 2016 at 7:33 PM, Mark Hatle <mark.ha...@windriver.com>
>> wrote:
>>>>>> On 10/5/16 9:11 PM, Tan, Raymond wrote:
>>>>>>> Greetings, I would like to know if there is any plan / schedule to 
>>>>>>> upgrade
>> to openssl 1.1.0 into OE-core?
>>>>>> 
>>>>>> Currently 1.0.2 is the LTS version of OpenSSL.  1.1.0 is not scheduled 
>>>>>> to be
>> LTS.
>>>>>> 
>>>>>> For the upcoming release (soon), I would NOT expect 1.1.0 to be in
>>>>>> it.  There are still too many incompatibilities with other components.
>>>>>> 
>>>>>> For the next version of OE, I think it is appropriate to include
>>>>>> 1.1.0, but I would also like to maintain 1.0.2 for the time being.
>>>>>> (Beside LTS, it also is still the only way to have FIPS-140-2
>>>>>> module, as there is currently no module in the 1.1.0 -- and there
>>>>>> may not be for a while.)
>>>>> 
> 
> This means earliest possible would be post morty? And 1.0.2 would still be 
> maintained in there due to the LTS status?
> 
> The reason I'm checking is we are trying to integrate a new QAT openssl 
> engine, which is developed for openssl 1.1.0. 
> 
>>>>> What do we get with 1.1.0 ?
>>>> 
>>>> Latest and greatest code of course.. :)
>>>> 
>>>> Reality, not a lot more over 1.0.2... there are some significant
>>>> redesigns that should help improve overall security of the OpenSSL
>>>> library and items using the library.  But various things will have to be
>> updated to make use of this.
>>>> 
>>>> The OpenSSL community itself is looking at 1.1.0 as a transition to
>>>> newer and better design/api/etc... which is why it is not marked as a LTS
>> release.
>>> 
>>> api changes can be a bothersome point from integration POV, do we know
>>> if there are some forwarded porting incompatibilities in APIs already?
>> 
>> I have not investigated it, as my focus has been on the LTS version at this 
>> point.
>> 
>> --Mark
>> 
>>>> 
>>>> Beside my basic understanding (above) there should be information as
>>>> part of the
>>>> 1.1.0 release notes.
>>>> 
>>>> --Mark
>>>> 
>>>>>> 
>>>>>> --Mark
>>>>>> 
>>>>>>> Thanks!
>>>>>>> 
>>>>>>> Raymond Tan
>>>>>>> 
>>>>>> 
>>>>>> --
>>>>>> ___
>>>>>> Openembedded-core mailing list
>>>>>> Openembedded-core@lists.openembedded.org
>>>>>> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>>>> 
>>> 
> 
-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] openssl: OpenSSL 1.1.x update

2016-10-13 Thread Tan, Raymond 
Warm Regards, 

 Raymond Tan

> -Original Message-
> From: Mark Hatle [mailto:mark.ha...@windriver.com]
> Sent: Thursday, October 06, 2016 11:40 PM
> To: Khem Raj <raj.k...@gmail.com>
> Cc: Tan, Raymond <raymond@intel.com>; openembedded-
> c...@lists.openembedded.org; Gupta, Rahul KumarXX
> <rahul.kumarxx.gu...@intel.com>
> Subject: Re: [OE-core] openssl: OpenSSL 1.1.x update
> 
> On 10/6/16 10:22 AM, Khem Raj wrote:
> >
> >> On Oct 6, 2016, at 7:21 AM, Mark Hatle <mark.ha...@windriver.com>
> wrote:
> >>
> >> On 10/5/16 9:59 PM, Khem Raj wrote:
> >>> On Wed, Oct 5, 2016 at 7:33 PM, Mark Hatle <mark.ha...@windriver.com>
> wrote:
> >>>> On 10/5/16 9:11 PM, Tan, Raymond wrote:
> >>>>> Greetings, I would like to know if there is any plan / schedule to 
> >>>>> upgrade
> to openssl 1.1.0 into OE-core?
> >>>>
> >>>> Currently 1.0.2 is the LTS version of OpenSSL.  1.1.0 is not scheduled 
> >>>> to be
> LTS.
> >>>>
> >>>> For the upcoming release (soon), I would NOT expect 1.1.0 to be in
> >>>> it.  There are still too many incompatibilities with other components.
> >>>>
> >>>> For the next version of OE, I think it is appropriate to include
> >>>> 1.1.0, but I would also like to maintain 1.0.2 for the time being.
> >>>> (Beside LTS, it also is still the only way to have FIPS-140-2
> >>>> module, as there is currently no module in the 1.1.0 -- and there
> >>>> may not be for a while.)
> >>>

This means earliest possible would be post morty? And 1.0.2 would still be 
maintained in there due to the LTS status?

The reason I'm checking is we are trying to integrate a new QAT openssl engine, 
which is developed for openssl 1.1.0. 

> >>> What do we get with 1.1.0 ?
> >>
> >> Latest and greatest code of course.. :)
> >>
> >> Reality, not a lot more over 1.0.2... there are some significant
> >> redesigns that should help improve overall security of the OpenSSL
> >> library and items using the library.  But various things will have to be
> updated to make use of this.
> >>
> >> The OpenSSL community itself is looking at 1.1.0 as a transition to
> >> newer and better design/api/etc... which is why it is not marked as a LTS
> release.
> >
> > api changes can be a bothersome point from integration POV, do we know
> > if there are some forwarded porting incompatibilities in APIs already?
> 
> I have not investigated it, as my focus has been on the LTS version at this 
> point.
> 
> --Mark
> 
> >>
> >> Beside my basic understanding (above) there should be information as
> >> part of the
> >> 1.1.0 release notes.
> >>
> >> --Mark
> >>
> >>>>
> >>>> --Mark
> >>>>
> >>>>> Thanks!
> >>>>>
> >>>>> Raymond Tan
> >>>>>
> >>>>
> >>>> --
> >>>> ___
> >>>> Openembedded-core mailing list
> >>>> Openembedded-core@lists.openembedded.org
> >>>> http://lists.openembedded.org/mailman/listinfo/openembedded-core
> >>
> >

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] openssl: OpenSSL 1.1.x update

2016-10-06 Thread Mark Hatle 
On 10/6/16 10:22 AM, Khem Raj wrote:
> 
>> On Oct 6, 2016, at 7:21 AM, Mark Hatle  wrote:
>>
>> On 10/5/16 9:59 PM, Khem Raj wrote:
>>> On Wed, Oct 5, 2016 at 7:33 PM, Mark Hatle  wrote:
 On 10/5/16 9:11 PM, Tan, Raymond wrote:
> Greetings, I would like to know if there is any plan / schedule to 
> upgrade to openssl 1.1.0 into OE-core?

 Currently 1.0.2 is the LTS version of OpenSSL.  1.1.0 is not scheduled to 
 be LTS.

 For the upcoming release (soon), I would NOT expect 1.1.0 to be in it.  
 There
 are still too many incompatibilities with other components.

 For the next version of OE, I think it is appropriate to include 1.1.0, 
 but I
 would also like to maintain 1.0.2 for the time being.  (Beside LTS, it 
 also is
 still the only way to have FIPS-140-2 module, as there is currently no 
 module in
 the 1.1.0 -- and there may not be for a while.)
>>>
>>> What do we get with 1.1.0 ?
>>
>> Latest and greatest code of course.. :)
>>
>> Reality, not a lot more over 1.0.2... there are some significant redesigns 
>> that
>> should help improve overall security of the OpenSSL library and items using 
>> the
>> library.  But various things will have to be updated to make use of this.
>>
>> The OpenSSL community itself is looking at 1.1.0 as a transition to newer and
>> better design/api/etc... which is why it is not marked as a LTS release.
> 
> api changes can be a bothersome point from integration POV, do we know if 
> there
> are some forwarded porting incompatibilities in APIs already?

I have not investigated it, as my focus has been on the LTS version at this 
point.

--Mark

>>
>> Beside my basic understanding (above) there should be information as part of 
>> the
>> 1.1.0 release notes.
>>
>> --Mark
>>

 --Mark

> Thanks!
>
> Raymond Tan
>

 --
 ___
 Openembedded-core mailing list
 Openembedded-core@lists.openembedded.org
 http://lists.openembedded.org/mailman/listinfo/openembedded-core
>>
> 

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] openssl: OpenSSL 1.1.x update

2016-10-06 Thread Khem Raj 

> On Oct 6, 2016, at 7:21 AM, Mark Hatle  wrote:
> 
> On 10/5/16 9:59 PM, Khem Raj wrote:
>> On Wed, Oct 5, 2016 at 7:33 PM, Mark Hatle  wrote:
>>> On 10/5/16 9:11 PM, Tan, Raymond wrote:
 Greetings, I would like to know if there is any plan / schedule to upgrade 
 to openssl 1.1.0 into OE-core?
>>> 
>>> Currently 1.0.2 is the LTS version of OpenSSL.  1.1.0 is not scheduled to 
>>> be LTS.
>>> 
>>> For the upcoming release (soon), I would NOT expect 1.1.0 to be in it.  
>>> There
>>> are still too many incompatibilities with other components.
>>> 
>>> For the next version of OE, I think it is appropriate to include 1.1.0, but 
>>> I
>>> would also like to maintain 1.0.2 for the time being.  (Beside LTS, it also 
>>> is
>>> still the only way to have FIPS-140-2 module, as there is currently no 
>>> module in
>>> the 1.1.0 -- and there may not be for a while.)
>> 
>> What do we get with 1.1.0 ?
> 
> Latest and greatest code of course.. :)
> 
> Reality, not a lot more over 1.0.2... there are some significant redesigns 
> that
> should help improve overall security of the OpenSSL library and items using 
> the
> library.  But various things will have to be updated to make use of this.
> 
> The OpenSSL community itself is looking at 1.1.0 as a transition to newer and
> better design/api/etc... which is why it is not marked as a LTS release.

api changes can be a bothersome point from integration POV, do we know if there
are some forwarded porting incompatibilities in APIs already?

> 
> Beside my basic understanding (above) there should be information as part of 
> the
> 1.1.0 release notes.
> 
> --Mark
> 
>>> 
>>> --Mark
>>> 
 Thanks!
 
 Raymond Tan
 
>>> 
>>> --
>>> ___
>>> Openembedded-core mailing list
>>> Openembedded-core@lists.openembedded.org
>>> http://lists.openembedded.org/mailman/listinfo/openembedded-core
> 



signature.asc
Description: Message signed with OpenPGP using GPGMail
-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] openssl: OpenSSL 1.1.x update

2016-10-06 Thread Mark Hatle 
On 10/5/16 9:59 PM, Khem Raj wrote:
> On Wed, Oct 5, 2016 at 7:33 PM, Mark Hatle  wrote:
>> On 10/5/16 9:11 PM, Tan, Raymond wrote:
>>> Greetings, I would like to know if there is any plan / schedule to upgrade 
>>> to openssl 1.1.0 into OE-core?
>>
>> Currently 1.0.2 is the LTS version of OpenSSL.  1.1.0 is not scheduled to be 
>> LTS.
>>
>> For the upcoming release (soon), I would NOT expect 1.1.0 to be in it.  There
>> are still too many incompatibilities with other components.
>>
>> For the next version of OE, I think it is appropriate to include 1.1.0, but I
>> would also like to maintain 1.0.2 for the time being.  (Beside LTS, it also 
>> is
>> still the only way to have FIPS-140-2 module, as there is currently no 
>> module in
>> the 1.1.0 -- and there may not be for a while.)
> 
> What do we get with 1.1.0 ?

Latest and greatest code of course.. :)

Reality, not a lot more over 1.0.2... there are some significant redesigns that
should help improve overall security of the OpenSSL library and items using the
library.  But various things will have to be updated to make use of this.

The OpenSSL community itself is looking at 1.1.0 as a transition to newer and
better design/api/etc... which is why it is not marked as a LTS release.

Beside my basic understanding (above) there should be information as part of the
1.1.0 release notes.

--Mark

>>
>> --Mark
>>
>>> Thanks!
>>>
>>> Raymond Tan
>>>
>>
>> --
>> ___
>> Openembedded-core mailing list
>> Openembedded-core@lists.openembedded.org
>> http://lists.openembedded.org/mailman/listinfo/openembedded-core

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] openssl: OpenSSL 1.1.x update

2016-10-05 Thread Khem Raj 
On Wed, Oct 5, 2016 at 7:33 PM, Mark Hatle  wrote:
> On 10/5/16 9:11 PM, Tan, Raymond wrote:
>> Greetings, I would like to know if there is any plan / schedule to upgrade 
>> to openssl 1.1.0 into OE-core?
>
> Currently 1.0.2 is the LTS version of OpenSSL.  1.1.0 is not scheduled to be 
> LTS.
>
> For the upcoming release (soon), I would NOT expect 1.1.0 to be in it.  There
> are still too many incompatibilities with other components.
>
> For the next version of OE, I think it is appropriate to include 1.1.0, but I
> would also like to maintain 1.0.2 for the time being.  (Beside LTS, it also is
> still the only way to have FIPS-140-2 module, as there is currently no module 
> in
> the 1.1.0 -- and there may not be for a while.)

What do we get with 1.1.0 ?

>
> --Mark
>
>> Thanks!
>>
>> Raymond Tan
>>
>
> --
> ___
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] openssl: OpenSSL 1.1.x update

2016-10-05 Thread Paul Eggleton 
Hi Raymond,

On Thu, 06 Oct 2016 02:11:59 Tan, Raymond wrote:
> Greetings, I would like to know if there is any plan / schedule to upgrade
> to openssl 1.1.0 into OE-core?

I am not aware of any discussion about this (and my answer shouldn't be 
considered authoritative), however it does look like upgrading to 1.1.0 will 
result in compatibility issues with code that links to OpenSSL, thus I expect 
we would need to evaluate the impact of doing so. In any event we are in 
milestone 4 of the 2.2 release in which as a general rule we do not do version 
upgrades except when absolutely necessary, so the earliest we would look at 
this would be for 2.3.

Note that for 2.2 we have kept up-to-date with OpenSSL releases on the 1.0.2 
branch to date as the risk of compatibility problems across upgrades there is 
significantly lower.

Cheers,
Paul

-- 

Paul Eggleton
Intel Open Source Technology Centre
-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] openssl: OpenSSL 1.1.x update

2016-10-05 Thread Mark Hatle 
On 10/5/16 9:11 PM, Tan, Raymond wrote:
> Greetings, I would like to know if there is any plan / schedule to upgrade to 
> openssl 1.1.0 into OE-core? 

Currently 1.0.2 is the LTS version of OpenSSL.  1.1.0 is not scheduled to be 
LTS.

For the upcoming release (soon), I would NOT expect 1.1.0 to be in it.  There
are still too many incompatibilities with other components.

For the next version of OE, I think it is appropriate to include 1.1.0, but I
would also like to maintain 1.0.2 for the time being.  (Beside LTS, it also is
still the only way to have FIPS-140-2 module, as there is currently no module in
the 1.1.0 -- and there may not be for a while.)

--Mark

> Thanks!
> 
> Raymond Tan
> 

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core