[MacPorts] #68766: openssl3 @3.2.0_0+universal may have broken PRNG
MacPorts
noreply at macports.org
Sun Nov 26 13:49:51 UTC 2023
#68766: openssl3 @3.2.0_0+universal may have broken PRNG
------------------------+------------------------
Reporter: fhgwright | Owner: neverpanic
Type: defect | Status: assigned
Priority: Normal | Milestone:
Component: ports | Version:
Resolution: | Keywords:
Port: openssl3 |
------------------------+------------------------
Comment (by neverpanic):
Replying to [comment:10 fhgwright]:
> In addition to the entropy issues, `openssl3 @3.2.0` fails many of its
tests, while `openssl3 @3.1.4_1` passes all of them, and `openssl3 @3.2.0`
fails to build on 10.4 and 10.5 (except 10.5 i386), while `openssl3
@3.1.4_1` builds for all platforms.
10.4 and 10.5 are very very old. Expect breakage from time to time on
systems that are as old as this.
You're reporting this for Mavericks, that's now 10 versions ago. Mavericks
was released in 2013. The last update for Mavericks was shipped in 2016,
that's 7 years ago.
Is any of this happening on operating systems that are still supported? I
haven't seen any indication of such breakage.
> It's clear that `openssl3 @3.2.0` isn't ready for prime-time. I'm
currently testing a fix that rolls `openssl3` back to 3.1.4, while adding
`openssl3-devel @3.2.0` for sorting out the issues. Going from 3.1.x to
3.2.x is a major update, requiring more thorough testing than a run-of-
the-mill point release.
Please don't hold supported operating systems hostage because you're
trying to run outdated software. I'm fine with a conditional downgrade to
3.1.4 on Mavericks and older, but I really really really don't want to
maintain another version of OpenSSL and deal with the potential breakage
that occurs if we have multiple OpenSSL versions available, just because
of Mavericks.
Spend the time to investigate how this can be fixed on Mavericks instead.
> BTW, the revbump for `openssh` was definitely superfluous. I suspect
the same for `freeradius` and `p5-net-ssleay`, though I can't easily
check. The revbump for `openssl` added some new manpage symlinks, but
otherwise didn't change anything. The Portfile comment about
unconditionally revbumping these dependents is clearly misguided (except
perhaps for `openssl`).
I'm not sure about freeradius, I haven't read their source code. For
openssh, I'm pretty sure the revbump is required, because OpenSSH used to
have a check to ensure that the minor version it was built against is the
minor version against it is running, even though binary compatibility was
preserved between OpenSSL 3.1.4 and 3.2.0. Maybe they dropped this
pointless check now, but it was definitely still there a few months ago
when a colleague of mine checked for Fedora.
I personally verified the p5-net-ssleay bump is required. We saw build
failures in ports that depend on p5-net-ssleay when we updated from 3.0 to
3.1.
Doing the revbump is on the safe side. Not doing it may lead to problems
we don't immediately see.
--
Ticket URL: <https://trac.macports.org/ticket/68766#comment:11>
MacPorts <https://www.macports.org/>
Ports system for macOS
More information about the macports-tickets
mailing list