Re: [OE-core] openssl: OpenSSL 1.1.x update
On 10/06/2016 06:39 PM, Mark Hatle wrote: The OpenSSL community itself is looking at 1.1.0 as a transition to newer and better design/api/etc... which is why it is not marked as a LTS release. api changes can be a bothersome point from integration POV, do we know if there are some forwarded porting incompatibilities in APIs already? I have not investigated it, as my focus has been on the LTS version at this point. I've quickly put together a openssl 1.1 recipe to test what builds and what fails in oe-core, and this is the list of failures (any dependencies of these aren't even attempted of course, i.e. webkit): rpm apr-util ruby openssh bind socat mailx (I believe debian provides a rewrite of this one which we need to package) cryptodev-tests u-boot-mkimage Openssl does not seem to be designed for parallel installation of several major versions at the same time (headers and pkg-config files clash), so (unless someone has a better idea), we need to either wait until the above listed upstreams fix their code, or do custom patching. Mark, when can we expect rpm updates from Wind River? It's been a while (actually, 10 months) since anything substantial arrived. I'd like to have both a working CVS recipe (for dnf oe-core integration work), and an update to the stable release with openssl 1.1 support in it - so that oe-core can provide openssl 1.1. I simply do not have the bandwidth or the expertise to do this work myself - far too many patches to rebase, and a code base that I don't even begin to understand. Alex -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] openssl: OpenSSL 1.1.x update
While this is not a fully authoritative answer, I believe what your wrote will be correct. Latest 1.0.2 in 2.2. Master (in future) will have both 1.0.2 and 1.1.0. > On Oct 13, 2016, at 12:36, Tan, Raymond <raymond@intel.com> wrote: > > Warm Regards, > > Raymond Tan > >> -Original Message- >> From: Mark Hatle [mailto:mark.ha...@windriver.com] >> Sent: Thursday, October 06, 2016 11:40 PM >> To: Khem Raj <raj.k...@gmail.com> >> Cc: Tan, Raymond <raymond@intel.com>; openembedded- >> c...@lists.openembedded.org; Gupta, Rahul KumarXX >> <rahul.kumarxx.gu...@intel.com> >> Subject: Re: [OE-core] openssl: OpenSSL 1.1.x update >> >>> On 10/6/16 10:22 AM, Khem Raj wrote: >>> >>>> On Oct 6, 2016, at 7:21 AM, Mark Hatle <mark.ha...@windriver.com> >> wrote: >>>> >>>>> On 10/5/16 9:59 PM, Khem Raj wrote: >>>>> On Wed, Oct 5, 2016 at 7:33 PM, Mark Hatle <mark.ha...@windriver.com> >> wrote: >>>>>> On 10/5/16 9:11 PM, Tan, Raymond wrote: >>>>>>> Greetings, I would like to know if there is any plan / schedule to >>>>>>> upgrade >> to openssl 1.1.0 into OE-core? >>>>>> >>>>>> Currently 1.0.2 is the LTS version of OpenSSL. 1.1.0 is not scheduled >>>>>> to be >> LTS. >>>>>> >>>>>> For the upcoming release (soon), I would NOT expect 1.1.0 to be in >>>>>> it. There are still too many incompatibilities with other components. >>>>>> >>>>>> For the next version of OE, I think it is appropriate to include >>>>>> 1.1.0, but I would also like to maintain 1.0.2 for the time being. >>>>>> (Beside LTS, it also is still the only way to have FIPS-140-2 >>>>>> module, as there is currently no module in the 1.1.0 -- and there >>>>>> may not be for a while.) >>>>> > > This means earliest possible would be post morty? And 1.0.2 would still be > maintained in there due to the LTS status? > > The reason I'm checking is we are trying to integrate a new QAT openssl > engine, which is developed for openssl 1.1.0. > >>>>> What do we get with 1.1.0 ? >>>> >>>> Latest and greatest code of course.. :) >>>> >>>> Reality, not a lot more over 1.0.2... there are some significant >>>> redesigns that should help improve overall security of the OpenSSL >>>> library and items using the library. But various things will have to be >> updated to make use of this. >>>> >>>> The OpenSSL community itself is looking at 1.1.0 as a transition to >>>> newer and better design/api/etc... which is why it is not marked as a LTS >> release. >>> >>> api changes can be a bothersome point from integration POV, do we know >>> if there are some forwarded porting incompatibilities in APIs already? >> >> I have not investigated it, as my focus has been on the LTS version at this >> point. >> >> --Mark >> >>>> >>>> Beside my basic understanding (above) there should be information as >>>> part of the >>>> 1.1.0 release notes. >>>> >>>> --Mark >>>> >>>>>> >>>>>> --Mark >>>>>> >>>>>>> Thanks! >>>>>>> >>>>>>> Raymond Tan >>>>>>> >>>>>> >>>>>> -- >>>>>> ___ >>>>>> Openembedded-core mailing list >>>>>> Openembedded-core@lists.openembedded.org >>>>>> http://lists.openembedded.org/mailman/listinfo/openembedded-core >>>> >>> > -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] openssl: OpenSSL 1.1.x update
Warm Regards, Raymond Tan > -Original Message- > From: Mark Hatle [mailto:mark.ha...@windriver.com] > Sent: Thursday, October 06, 2016 11:40 PM > To: Khem Raj <raj.k...@gmail.com> > Cc: Tan, Raymond <raymond@intel.com>; openembedded- > c...@lists.openembedded.org; Gupta, Rahul KumarXX > <rahul.kumarxx.gu...@intel.com> > Subject: Re: [OE-core] openssl: OpenSSL 1.1.x update > > On 10/6/16 10:22 AM, Khem Raj wrote: > > > >> On Oct 6, 2016, at 7:21 AM, Mark Hatle <mark.ha...@windriver.com> > wrote: > >> > >> On 10/5/16 9:59 PM, Khem Raj wrote: > >>> On Wed, Oct 5, 2016 at 7:33 PM, Mark Hatle <mark.ha...@windriver.com> > wrote: > >>>> On 10/5/16 9:11 PM, Tan, Raymond wrote: > >>>>> Greetings, I would like to know if there is any plan / schedule to > >>>>> upgrade > to openssl 1.1.0 into OE-core? > >>>> > >>>> Currently 1.0.2 is the LTS version of OpenSSL. 1.1.0 is not scheduled > >>>> to be > LTS. > >>>> > >>>> For the upcoming release (soon), I would NOT expect 1.1.0 to be in > >>>> it. There are still too many incompatibilities with other components. > >>>> > >>>> For the next version of OE, I think it is appropriate to include > >>>> 1.1.0, but I would also like to maintain 1.0.2 for the time being. > >>>> (Beside LTS, it also is still the only way to have FIPS-140-2 > >>>> module, as there is currently no module in the 1.1.0 -- and there > >>>> may not be for a while.) > >>> This means earliest possible would be post morty? And 1.0.2 would still be maintained in there due to the LTS status? The reason I'm checking is we are trying to integrate a new QAT openssl engine, which is developed for openssl 1.1.0. > >>> What do we get with 1.1.0 ? > >> > >> Latest and greatest code of course.. :) > >> > >> Reality, not a lot more over 1.0.2... there are some significant > >> redesigns that should help improve overall security of the OpenSSL > >> library and items using the library. But various things will have to be > updated to make use of this. > >> > >> The OpenSSL community itself is looking at 1.1.0 as a transition to > >> newer and better design/api/etc... which is why it is not marked as a LTS > release. > > > > api changes can be a bothersome point from integration POV, do we know > > if there are some forwarded porting incompatibilities in APIs already? > > I have not investigated it, as my focus has been on the LTS version at this > point. > > --Mark > > >> > >> Beside my basic understanding (above) there should be information as > >> part of the > >> 1.1.0 release notes. > >> > >> --Mark > >> > >>>> > >>>> --Mark > >>>> > >>>>> Thanks! > >>>>> > >>>>> Raymond Tan > >>>>> > >>>> > >>>> -- > >>>> ___ > >>>> Openembedded-core mailing list > >>>> Openembedded-core@lists.openembedded.org > >>>> http://lists.openembedded.org/mailman/listinfo/openembedded-core > >> > > -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] openssl: OpenSSL 1.1.x update
On 10/6/16 10:22 AM, Khem Raj wrote: > >> On Oct 6, 2016, at 7:21 AM, Mark Hatlewrote: >> >> On 10/5/16 9:59 PM, Khem Raj wrote: >>> On Wed, Oct 5, 2016 at 7:33 PM, Mark Hatle wrote: On 10/5/16 9:11 PM, Tan, Raymond wrote: > Greetings, I would like to know if there is any plan / schedule to > upgrade to openssl 1.1.0 into OE-core? Currently 1.0.2 is the LTS version of OpenSSL. 1.1.0 is not scheduled to be LTS. For the upcoming release (soon), I would NOT expect 1.1.0 to be in it. There are still too many incompatibilities with other components. For the next version of OE, I think it is appropriate to include 1.1.0, but I would also like to maintain 1.0.2 for the time being. (Beside LTS, it also is still the only way to have FIPS-140-2 module, as there is currently no module in the 1.1.0 -- and there may not be for a while.) >>> >>> What do we get with 1.1.0 ? >> >> Latest and greatest code of course.. :) >> >> Reality, not a lot more over 1.0.2... there are some significant redesigns >> that >> should help improve overall security of the OpenSSL library and items using >> the >> library. But various things will have to be updated to make use of this. >> >> The OpenSSL community itself is looking at 1.1.0 as a transition to newer and >> better design/api/etc... which is why it is not marked as a LTS release. > > api changes can be a bothersome point from integration POV, do we know if > there > are some forwarded porting incompatibilities in APIs already? I have not investigated it, as my focus has been on the LTS version at this point. --Mark >> >> Beside my basic understanding (above) there should be information as part of >> the >> 1.1.0 release notes. >> >> --Mark >> --Mark > Thanks! > > Raymond Tan > -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core >> > -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] openssl: OpenSSL 1.1.x update
> On Oct 6, 2016, at 7:21 AM, Mark Hatlewrote: > > On 10/5/16 9:59 PM, Khem Raj wrote: >> On Wed, Oct 5, 2016 at 7:33 PM, Mark Hatle wrote: >>> On 10/5/16 9:11 PM, Tan, Raymond wrote: Greetings, I would like to know if there is any plan / schedule to upgrade to openssl 1.1.0 into OE-core? >>> >>> Currently 1.0.2 is the LTS version of OpenSSL. 1.1.0 is not scheduled to >>> be LTS. >>> >>> For the upcoming release (soon), I would NOT expect 1.1.0 to be in it. >>> There >>> are still too many incompatibilities with other components. >>> >>> For the next version of OE, I think it is appropriate to include 1.1.0, but >>> I >>> would also like to maintain 1.0.2 for the time being. (Beside LTS, it also >>> is >>> still the only way to have FIPS-140-2 module, as there is currently no >>> module in >>> the 1.1.0 -- and there may not be for a while.) >> >> What do we get with 1.1.0 ? > > Latest and greatest code of course.. :) > > Reality, not a lot more over 1.0.2... there are some significant redesigns > that > should help improve overall security of the OpenSSL library and items using > the > library. But various things will have to be updated to make use of this. > > The OpenSSL community itself is looking at 1.1.0 as a transition to newer and > better design/api/etc... which is why it is not marked as a LTS release. api changes can be a bothersome point from integration POV, do we know if there are some forwarded porting incompatibilities in APIs already? > > Beside my basic understanding (above) there should be information as part of > the > 1.1.0 release notes. > > --Mark > >>> >>> --Mark >>> Thanks! Raymond Tan >>> >>> -- >>> ___ >>> Openembedded-core mailing list >>> Openembedded-core@lists.openembedded.org >>> http://lists.openembedded.org/mailman/listinfo/openembedded-core > signature.asc Description: Message signed with OpenPGP using GPGMail -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] openssl: OpenSSL 1.1.x update
On 10/5/16 9:59 PM, Khem Raj wrote: > On Wed, Oct 5, 2016 at 7:33 PM, Mark Hatlewrote: >> On 10/5/16 9:11 PM, Tan, Raymond wrote: >>> Greetings, I would like to know if there is any plan / schedule to upgrade >>> to openssl 1.1.0 into OE-core? >> >> Currently 1.0.2 is the LTS version of OpenSSL. 1.1.0 is not scheduled to be >> LTS. >> >> For the upcoming release (soon), I would NOT expect 1.1.0 to be in it. There >> are still too many incompatibilities with other components. >> >> For the next version of OE, I think it is appropriate to include 1.1.0, but I >> would also like to maintain 1.0.2 for the time being. (Beside LTS, it also >> is >> still the only way to have FIPS-140-2 module, as there is currently no >> module in >> the 1.1.0 -- and there may not be for a while.) > > What do we get with 1.1.0 ? Latest and greatest code of course.. :) Reality, not a lot more over 1.0.2... there are some significant redesigns that should help improve overall security of the OpenSSL library and items using the library. But various things will have to be updated to make use of this. The OpenSSL community itself is looking at 1.1.0 as a transition to newer and better design/api/etc... which is why it is not marked as a LTS release. Beside my basic understanding (above) there should be information as part of the 1.1.0 release notes. --Mark >> >> --Mark >> >>> Thanks! >>> >>> Raymond Tan >>> >> >> -- >> ___ >> Openembedded-core mailing list >> Openembedded-core@lists.openembedded.org >> http://lists.openembedded.org/mailman/listinfo/openembedded-core -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] openssl: OpenSSL 1.1.x update
On Wed, Oct 5, 2016 at 7:33 PM, Mark Hatlewrote: > On 10/5/16 9:11 PM, Tan, Raymond wrote: >> Greetings, I would like to know if there is any plan / schedule to upgrade >> to openssl 1.1.0 into OE-core? > > Currently 1.0.2 is the LTS version of OpenSSL. 1.1.0 is not scheduled to be > LTS. > > For the upcoming release (soon), I would NOT expect 1.1.0 to be in it. There > are still too many incompatibilities with other components. > > For the next version of OE, I think it is appropriate to include 1.1.0, but I > would also like to maintain 1.0.2 for the time being. (Beside LTS, it also is > still the only way to have FIPS-140-2 module, as there is currently no module > in > the 1.1.0 -- and there may not be for a while.) What do we get with 1.1.0 ? > > --Mark > >> Thanks! >> >> Raymond Tan >> > > -- > ___ > Openembedded-core mailing list > Openembedded-core@lists.openembedded.org > http://lists.openembedded.org/mailman/listinfo/openembedded-core -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] openssl: OpenSSL 1.1.x update
Hi Raymond, On Thu, 06 Oct 2016 02:11:59 Tan, Raymond wrote: > Greetings, I would like to know if there is any plan / schedule to upgrade > to openssl 1.1.0 into OE-core? I am not aware of any discussion about this (and my answer shouldn't be considered authoritative), however it does look like upgrading to 1.1.0 will result in compatibility issues with code that links to OpenSSL, thus I expect we would need to evaluate the impact of doing so. In any event we are in milestone 4 of the 2.2 release in which as a general rule we do not do version upgrades except when absolutely necessary, so the earliest we would look at this would be for 2.3. Note that for 2.2 we have kept up-to-date with OpenSSL releases on the 1.0.2 branch to date as the risk of compatibility problems across upgrades there is significantly lower. Cheers, Paul -- Paul Eggleton Intel Open Source Technology Centre -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] openssl: OpenSSL 1.1.x update
On 10/5/16 9:11 PM, Tan, Raymond wrote: > Greetings, I would like to know if there is any plan / schedule to upgrade to > openssl 1.1.0 into OE-core? Currently 1.0.2 is the LTS version of OpenSSL. 1.1.0 is not scheduled to be LTS. For the upcoming release (soon), I would NOT expect 1.1.0 to be in it. There are still too many incompatibilities with other components. For the next version of OE, I think it is appropriate to include 1.1.0, but I would also like to maintain 1.0.2 for the time being. (Beside LTS, it also is still the only way to have FIPS-140-2 module, as there is currently no module in the 1.1.0 -- and there may not be for a while.) --Mark > Thanks! > > Raymond Tan > -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core