[MacPorts] #68766: openssl3 @3.2.0_0+universal may have broken PRNG on High Sierra and older

MacPorts noreply at macports.org
Thu Nov 30 02:16:07 UTC 2023 

#68766: openssl3 @3.2.0_0+universal may have broken PRNG on High Sierra and older
------------------------+------------------------
  Reporter:  fhgwright  |      Owner:  neverpanic
      Type:  defect     |     Status:  assigned
  Priority:  Normal     |  Milestone:
 Component:  ports      |    Version:
Resolution:             |   Keywords:
      Port:  openssl3   |
------------------------+------------------------

Comment (by fhgwright):

 Replying to [comment:56 neverpanic]:
 > Replying to [comment:49 fhgwright]:
 > > Note that the failure on Sierra was reported here ''before'' the
 summary was changed to say "Mavericks and older".
 >
 > I missed the one report about this, that's my fault. I have changed it
 to High Sierra now, which I believe accurately represents the situation
 unless I'm missing something?

 Actually, I subsequently discovered that `openssl rand` also fails on High
 Sierra.  The range of OSes where 3.2.0 works properly is continuing to
 shrink.

 > 3.1 to 3.2 isn't a major upgrade. The ABI is compatible.
 > I'm not sure holding off on the update would have contributed to
 significantly broader test coverage, either.

 It's a major upgrade in the sense that it's a separate upstream release
 branch, with the prior branch still being fully maintained.  It's
 recognized that there may be issues requiring some people to stick to the
 older version.  ABI incompatibility isn't the only source of trouble.
 Even 3.0 is still maintained upstream, and 1.1 only stopped a few months
 ago.

 > Additionally, I did follow up on your comment saying that there are
 broken tests on 14.x by running the upstream test suite. I did not
 encounter test failures. Can you provide details?

 There are failures in "port test" on 14.x arm64.  I have logs, but that
 seems OT for this ticket.

 > > IMO, it would make sense to have subports for all the separately
 maintained upstream versions, similar to what's already done for languages
 (and for the 1.x versions).  That would include not only `openssl31` and
 `openssl32`, but also `openssl30`, not only for completeness, but also to
 make that version available for testing, even though it's unlikely to be
 needed as a port dependency.  However, this is a significantly more
 complicated change than just a rollback plus a -devel for 3.2, and the
 priority should be undoing the damage ASAP.
 >
 > We've had that before, and I think it's an explicit non-goal. It locks
 us into not being able to update and stop maintaining the old port because
 some port still depends on it. Best example: The OpenSSL 1.1 port, which
 is now unmaintained, but we can't remove it because ports still use it.

 Maintaining ports with few upstream changes isn't that hard.  And ports
 don't exist solely to provide dependencies for other ports.  Users may
 have other code that needs to build against other versions, if for no
 other reasons than testing.  I'd volunteer as co-maintainer if that helps.

 > I don't think a general rollback on all systems is the way to go, as
 there are no issues I'm aware of in the range [current-3, current] (other
 than a PostgreSQL issue that is apparently on the PostgreSQL side, not in
 OpenSSL). I would take a pull request that rolls back older systems to
 3.1.4.

 https://github.com/macports/macports-ports/pull/21603

 The minimum OS version for 3.2.0 is now 10.14.

-- 
Ticket URL: <https://trac.macports.org/ticket/68766#comment:62>
MacPorts <https://www.macports.org/>
Ports system for macOS

More information about the macports-tickets mailing list