[MacPorts] #68766: openssl3 @3.2.0_0+universal may have broken PRNG on High Sierra and older
MacPorts
noreply at macports.org
Thu Nov 30 02:16:07 UTC 2023
#68766: openssl3 @3.2.0_0+universal may have broken PRNG on High Sierra and older
------------------------+------------------------
Reporter: fhgwright | Owner: neverpanic
Type: defect | Status: assigned
Priority: Normal | Milestone:
Component: ports | Version:
Resolution: | Keywords:
Port: openssl3 |
------------------------+------------------------
Comment (by fhgwright):
Replying to [comment:56 neverpanic]:
> Replying to [comment:49 fhgwright]:
> > Note that the failure on Sierra was reported here ''before'' the
summary was changed to say "Mavericks and older".
>
> I missed the one report about this, that's my fault. I have changed it
to High Sierra now, which I believe accurately represents the situation
unless I'm missing something?
Actually, I subsequently discovered that `openssl rand` also fails on High
Sierra. The range of OSes where 3.2.0 works properly is continuing to
shrink.
> 3.1 to 3.2 isn't a major upgrade. The ABI is compatible.
> I'm not sure holding off on the update would have contributed to
significantly broader test coverage, either.
It's a major upgrade in the sense that it's a separate upstream release
branch, with the prior branch still being fully maintained. It's
recognized that there may be issues requiring some people to stick to the
older version. ABI incompatibility isn't the only source of trouble.
Even 3.0 is still maintained upstream, and 1.1 only stopped a few months
ago.
> Additionally, I did follow up on your comment saying that there are
broken tests on 14.x by running the upstream test suite. I did not
encounter test failures. Can you provide details?
There are failures in "port test" on 14.x arm64. I have logs, but that
seems OT for this ticket.
> > IMO, it would make sense to have subports for all the separately
maintained upstream versions, similar to what's already done for languages
(and for the 1.x versions). That would include not only `openssl31` and
`openssl32`, but also `openssl30`, not only for completeness, but also to
make that version available for testing, even though it's unlikely to be
needed as a port dependency. However, this is a significantly more
complicated change than just a rollback plus a -devel for 3.2, and the
priority should be undoing the damage ASAP.
>
> We've had that before, and I think it's an explicit non-goal. It locks
us into not being able to update and stop maintaining the old port because
some port still depends on it. Best example: The OpenSSL 1.1 port, which
is now unmaintained, but we can't remove it because ports still use it.
Maintaining ports with few upstream changes isn't that hard. And ports
don't exist solely to provide dependencies for other ports. Users may
have other code that needs to build against other versions, if for no
other reasons than testing. I'd volunteer as co-maintainer if that helps.
> I don't think a general rollback on all systems is the way to go, as
there are no issues I'm aware of in the range [current-3, current] (other
than a PostgreSQL issue that is apparently on the PostgreSQL side, not in
OpenSSL). I would take a pull request that rolls back older systems to
3.1.4.
https://github.com/macports/macports-ports/pull/21603
The minimum OS version for 3.2.0 is now 10.14.
--
Ticket URL: <https://trac.macports.org/ticket/68766#comment:62>
MacPorts <https://www.macports.org/>
Ports system for macOS
More information about the macports-tickets
mailing list