Should we upgrade openssl?

Should we upgrade openssl?

[Christopher Lemmer Webber]

From the openssl website:

> Note: The latest stable version is the 1.1.1 series. This is also our
> Long Term Support (LTS) version, supported until 11th September
> 2023. Our previous LTS version (1.0.2 series) will continue to be
> supported until 31st December 2019 (security fixes only during the
> last year of support). The 1.1.0 series is currently only receiving
> security fixes and will go out of support on 11th September 2019. All
> users of 1.0.2 and 1.1.0 are encouraged to upgrade to 1.1.1 as soon as
> possible. The 0.9.8, 1.0.0 and 1.0.1 versions are now out of support
> and should not be used.

I know, everyone's going to groan hearing this, but maybe given the
above it would make sense to upgrade to the openssl 1.1.0 series before
Guix 1.0 gets out the door?

I guess that would probably require a massive rebuild of core packages
though.

 - cwebb

Re: Should we upgrade openssl?

[Ludovic Courtès]

Hello!

Christopher Lemmer Webber <cwebber@dustycloud.org> skribis:

> From the openssl website:
>
>> Note: The latest stable version is the 1.1.1 series. This is also our
>> Long Term Support (LTS) version, supported until 11th September
>> 2023. Our previous LTS version (1.0.2 series) will continue to be
>> supported until 31st December 2019 (security fixes only during the
>> last year of support). The 1.1.0 series is currently only receiving
>> security fixes and will go out of support on 11th September 2019. All
>> users of 1.0.2 and 1.1.0 are encouraged to upgrade to 1.1.1 as soon as
>> possible. The 0.9.8, 1.0.0 and 1.0.1 versions are now out of support
>> and should not be used.
>
> I know, everyone's going to groan hearing this, but maybe given the
> above it would make sense to upgrade to the openssl 1.1.0 series before
> Guix 1.0 gets out the door?

Indeed, I was under the assumption that 1.0 was still the stable
version, but apparently it’s not.

What do Leo and others think?

Thanks for the heads-up!

Ludo’.

Re: Should we upgrade openssl?

[Gábor Boskovits]

[-- Attachment #1: Type: text/plain, Size: 1605 bytes --]

Hello,

Ludovic Courtès <ludo@gnu.org> ezt írta (időpont: 2019. ápr. 16., K 22:17):

> Hello!
>
> Christopher Lemmer Webber <cwebber@dustycloud.org> skribis:
>
> > From the openssl website:
> >
> >> Note: The latest stable version is the 1.1.1 series. This is also our
> >> Long Term Support (LTS) version, supported until 11th September
> >> 2023. Our previous LTS version (1.0.2 series) will continue to be
> >> supported until 31st December 2019 (security fixes only during the
> >> last year of support). The 1.1.0 series is currently only receiving
> >> security fixes and will go out of support on 11th September 2019. All
> >> users of 1.0.2 and 1.1.0 are encouraged to upgrade to 1.1.1 as soon as
> >> possible. The 0.9.8, 1.0.0 and 1.0.1 versions are now out of support
> >> and should not be used.
> >
> > I know, everyone's going to groan hearing this, but maybe given the
> > above it would make sense to upgrade to the openssl 1.1.0 series before
> > Guix 1.0 gets out the door?
>
> Indeed, I was under the assumption that 1.0 was still the stable
> version, but apparently it’s not.
>
> What do Leo and others think?
>

I would go for the upgrade. As this is a change affecting lots of packages,
and this upgrade would allow us to reduce the chances to stuck with a
vulnerable version. I also suppose, that there areg- some changes on
core-updates we would like to merge anyways before 1.0, so if the upgrade
goes smoothly, then this is not a big loss of time. Wdyt?

>
> Thanks for the heads-up!
>
> Ludo’.
>

Best regards,
g_bor

>
>

[-- Attachment #2: Type: text/html, Size: 2521 bytes --]

Re: Should we upgrade openssl?

[Ludovic Courtès]

Hi Gábor,

Gábor Boskovits <boskovits@gmail.com> skribis:

> I would go for the upgrade. As this is a change affecting lots of packages,
> and this upgrade would allow us to reduce the chances to stuck with a
> vulnerable version. I also suppose, that there areg- some changes on
> core-updates we would like to merge anyways before 1.0, so if the upgrade
> goes smoothly, then this is not a big loss of time. Wdyt?

Merging ‘core-updates’ is no longer an option for 1.0: I’m seriously
still aiming for around April 30th.  Let’s get our act together!

Likewise, I don’t think the OpenSSL upgrade can be merged on time.  But
that’s OK: we can start working on it and have it merged as soon as
possible, possibly with all of ‘core-updates’.

Thoughts?

Thanks,
Ludo’.

Re: Should we upgrade openssl?

[Gábor Boskovits]

[-- Attachment #1: Type: text/plain, Size: 1064 bytes --]

Hello,

Ludovic Courtès <ludo@gnu.org> ezt írta (időpont: 2019. ápr. 17., Sze
14:28):

> Hi Gábor,
>
> Gábor Boskovits <boskovits@gmail.com> skribis:
>
> > I would go for the upgrade. As this is a change affecting lots of
> packages,
> > and this upgrade would allow us to reduce the chances to stuck with a
> > vulnerable version. I also suppose, that there areg- some changes on
> > core-updates we would like to merge anyways before 1.0, so if the upgrade
> > goes smoothly, then this is not a big loss of time. Wdyt?
>
> Merging ‘core-updates’ is no longer an option for 1.0: I’m seriously
> still aiming for around April 30th.  Let’s get our act together!
>
Ok, that's clear.

>
> Likewise, I don’t think the OpenSSL upgrade can be merged on time.  But
> that’s OK: we can start working on it and have it merged as soon as
> possible, possibly with all of ‘core-updates’.
>
Do we have a list of actionable items we can work on to help?

>
> Thoughts?
>
> Thanks,
> Ludo’.
>
Best regards,
g_bor

>

[-- Attachment #2: Type: text/html, Size: 2040 bytes --]

Re: Should we upgrade openssl?

[Ludovic Courtès]

Hi Gábor,

Gábor Boskovits <boskovits@gmail.com> skribis:

> Ludovic Courtès <ludo@gnu.org> ezt írta (időpont: 2019. ápr. 17., Sze

[...]

>> Likewise, I don’t think the OpenSSL upgrade can be merged on time.  But
>> that’s OK: we can start working on it and have it merged as soon as
>> possible, possibly with all of ‘core-updates’.
>>
> Do we have a list of actionable items we can work on to help?

‘core-updates’ currently fails to build Python 2, which prevents
evaluations from happening in Cuirass.

That said, I’d encourage you to focus on 1.0 first in the short term.
:-)

Thanks,
Ludo’.

Re: Should we upgrade openssl?

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 841 bytes --]

On Wed, Apr 17, 2019 at 02:28:13PM +0200, Ludovic Courtès wrote:
> Merging ‘core-updates’ is no longer an option for 1.0: I’m seriously
> still aiming for around April 30th.  Let’s get our act together!
> 
> Likewise, I don’t think the OpenSSL upgrade can be merged on time.  But
> that’s OK: we can start working on it and have it merged as soon as
> possible, possibly with all of ‘core-updates’.

I agree, it's not feasible to implement and test this OpenSSL upgrade
for an April 30th deployment. But we do need to do the upgrade during
2019, because OpenSSL 1.0.2 will become unsupported when this year ends.

It shouldn't be too bad because all the other distros are working on it
too, if they have not already finished the upgrade. At this point many
of the users have been adjusted to work with 1.1.1.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]