[MacPorts] #68766: openssl3 @3.2.0_0+universal may have broken PRNG on Mavericks and older

MacPorts noreply at macports.org
Tue Nov 28 01:41:25 UTC 2023 

#68766: openssl3 @3.2.0_0+universal may have broken PRNG on Mavericks and older
------------------------+------------------------
  Reporter:  fhgwright  |      Owner:  neverpanic
      Type:  defect     |     Status:  assigned
  Priority:  Normal     |  Milestone:
 Component:  ports      |    Version:
Resolution:             |   Keywords:
      Port:  openssl3   |
------------------------+------------------------

Comment (by fhgwright):

 Note that the failure on Sierra was reported here ''before'' the summary
 was changed to say "Mavericks and older".

 While I understand the "holding hostage" concept, breaking critical
 programs like `ssh` and `sshd` on many platforms just to rush out (less
 than an hour after the upstream release) an update that almost nobody
 actually needs was hardly reasonable.  There isn't even a "security fix"
 excuse, given that 3.1 is still fully supported upstream (as is 3.0, for
 that matter).  And breaking `sshd` on headless systems can make them
 difficult to fix.

 It looks like it was only sheer luck that the major upgrade from 3.0 to
 3.1 went smoothly.  1.0->1.1 was incompatible.  1.1->3.0 was incompatible.
 3.1->3.2 is currently majorly broken.  3.0->3.1 seems to have been the
 exception to the rule, and one shouldn't count on other major upgrades to
 go smoothly.

 BTW, I've also seen test failures on 10.14 x86_64 and 14.x arm64
 +universal.  I guess folks who think Sonoma is too old to worry about can
 ignore the latter.

 IMO, it would make sense to have subports for all the separately
 maintained upstream versions, similar to what's already done for languages
 (and for the 1.x versions).  That would include not only `openssl31` and
 `openssl32`, but also `openssl30`, not only for completeness, but also to
 make that version available for testing, even though it's unlikely to be
 needed as a port dependency.  However, this is a significantly more
 complicated change than just a rollback plus a -devel for 3.2, and the
 priority should be undoing the damage ASAP.

 I already have a fully tested commit for the latter, which I can submit as
 a PR if I'm not wasting my time.  It would take the pressure off figuring
 out how to fix the multiple issues in 3.2

-- 
Ticket URL: <https://trac.macports.org/ticket/68766#comment:49>
MacPorts <https://www.macports.org/>
Ports system for macOS

More information about the macports-tickets mailing list