[MacPorts] #68766: openssl3 @3.2.0_0+universal may have broken PRNG

MacPorts noreply at macports.org
Sun Nov 26 13:49:51 UTC 2023 

#68766: openssl3 @3.2.0_0+universal may have broken PRNG
------------------------+------------------------
  Reporter:  fhgwright  |      Owner:  neverpanic
      Type:  defect     |     Status:  assigned
  Priority:  Normal     |  Milestone:
 Component:  ports      |    Version:
Resolution:             |   Keywords:
      Port:  openssl3   |
------------------------+------------------------

Comment (by neverpanic):

 Replying to [comment:10 fhgwright]:
 > In addition to the entropy issues, `openssl3 @3.2.0` fails many of its
 tests, while `openssl3 @3.1.4_1` passes all of them, and `openssl3 @3.2.0`
 fails to build on 10.4 and 10.5 (except 10.5 i386), while `openssl3
 @3.1.4_1` builds for all platforms.

 10.4 and 10.5 are very very old. Expect breakage from time to time on
 systems that are as old as this.
 You're reporting this for Mavericks, that's now 10 versions ago. Mavericks
 was released in 2013. The last update for Mavericks was shipped in 2016,
 that's 7 years ago.

 Is any of this happening on operating systems that are still supported? I
 haven't seen any indication of such breakage.


 > It's clear that `openssl3 @3.2.0` isn't ready for prime-time.  I'm
 currently testing a fix that rolls `openssl3` back to 3.1.4, while adding
 `openssl3-devel @3.2.0` for sorting out the issues.  Going from 3.1.x to
 3.2.x is a major update, requiring more thorough testing than a run-of-
 the-mill point release.

 Please don't hold supported operating systems hostage because you're
 trying to run outdated software. I'm fine with a conditional downgrade to
 3.1.4 on Mavericks and older, but I really really really don't want to
 maintain another version of OpenSSL and deal with the potential breakage
 that occurs if we have multiple OpenSSL versions available, just because
 of Mavericks.

 Spend the time to investigate how this can be fixed on Mavericks instead.


 > BTW, the revbump for `openssh` was definitely superfluous.  I suspect
 the same for `freeradius` and `p5-net-ssleay`, though I can't easily
 check.  The revbump for `openssl` added some new manpage symlinks, but
 otherwise didn't change anything.  The Portfile comment about
 unconditionally revbumping these dependents is clearly misguided (except
 perhaps for `openssl`).

 I'm not sure about freeradius, I haven't read their source code. For
 openssh, I'm pretty sure the revbump is required, because OpenSSH used to
 have a check to ensure that the minor version it was built against is the
 minor version against it is running, even though binary compatibility was
 preserved between OpenSSL 3.1.4 and 3.2.0. Maybe they dropped this
 pointless check now, but it was definitely still there a few months ago
 when a colleague of mine checked for Fedora.

 I personally verified the p5-net-ssleay bump is required. We saw build
 failures in ports that depend on p5-net-ssleay when we updated from 3.0 to
 3.1.

 Doing the revbump is on the safe side. Not doing it may lead to problems
 we don't immediately see.

-- 
Ticket URL: <https://trac.macports.org/ticket/68766#comment:11>
MacPorts <https://www.macports.org/>
Ports system for macOS

More information about the macports-tickets mailing list