upgrade to openssl 3.0.0

[Fred Wright]

On Mon, 4 Oct 2021, Christopher Jones wrote:
>> On 4 Oct 2021, at 5:54 pm, Ken Cunningham <ken.cunningham.webuse at gmail.com> wrote:
>>
>> I was hoping to move this along for the overwhelming benefit of the 
>> license, but TBH the push-back so far is 99.99% negative about moving 
>> to openssl 3.0.0 this year, so too controversial for me to get involved 
>> with. I'll sit back for six to twelve months and see what you guys work 
>> out over the coming year.
>
> All the more reason to follow my suggested migration path then I would 
> say, as it allows an openssl30 port to be made available, and those 
> ports that wish to can use it via the new PG, but it doesn’t have to 
> become the default until some later date.

The PR thread contained (approximately) the following two statements:

1) Unless v3 is the default, nobody will bother to use it.

2) Everybody is really, *really* anxious to move to v3 for the more 
permissive license.

Clearly those two statements are in conflict.

At Google, we had a process called "canarying".  Although technically a 
misnomer, it referred to the "canary in the coal mine" concept, with the 
idea that rolling out new stuff with possible issues should start small, 
so that problems could be found (and hopefully fixed) before they caused 
large-scale breakage.

If the OpenSSL folks were committed to maintaining backward compatibility, 
then none of this nonsense would be necessary, but it's clear that they're 
not.  And there's no reason to assume that they won't pull the same crap 
again in the future (having done so at least twice already), so having a 
mechanism for multiple coexisting OpenSSL "major" versions could have 
long-term value beyond the v3 transition.

> TBH I also was quite dubious of making 3.0.0 the default any time ’soon’

I agree, especially if the only end benefit is the license.  Remember, 
OpenSSL is the poster child for why *not* to assume that that newer is 
more secure. :-)

Fred Wright