unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* Should we upgrade openssl?
@ 2019-04-15 14:10 Christopher Lemmer Webber
  2019-04-16 20:17 ` Ludovic Courtès
  0 siblings, 1 reply; 7+ messages in thread
From: Christopher Lemmer Webber @ 2019-04-15 14:10 UTC (permalink / raw)
  To: guix-devel

From the openssl website:

> Note: The latest stable version is the 1.1.1 series. This is also our
> Long Term Support (LTS) version, supported until 11th September
> 2023. Our previous LTS version (1.0.2 series) will continue to be
> supported until 31st December 2019 (security fixes only during the
> last year of support). The 1.1.0 series is currently only receiving
> security fixes and will go out of support on 11th September 2019. All
> users of 1.0.2 and 1.1.0 are encouraged to upgrade to 1.1.1 as soon as
> possible. The 0.9.8, 1.0.0 and 1.0.1 versions are now out of support
> and should not be used.

I know, everyone's going to groan hearing this, but maybe given the
above it would make sense to upgrade to the openssl 1.1.0 series before
Guix 1.0 gets out the door?

I guess that would probably require a massive rebuild of core packages
though.

 - cwebb

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Should we upgrade openssl?
  2019-04-15 14:10 Should we upgrade openssl? Christopher Lemmer Webber
@ 2019-04-16 20:17 ` Ludovic Courtès
  2019-04-17  6:09   ` Gábor Boskovits
  0 siblings, 1 reply; 7+ messages in thread
From: Ludovic Courtès @ 2019-04-16 20:17 UTC (permalink / raw)
  To: Christopher Lemmer Webber; +Cc: guix-devel

Hello!

Christopher Lemmer Webber <cwebber@dustycloud.org> skribis:

> From the openssl website:
>
>> Note: The latest stable version is the 1.1.1 series. This is also our
>> Long Term Support (LTS) version, supported until 11th September
>> 2023. Our previous LTS version (1.0.2 series) will continue to be
>> supported until 31st December 2019 (security fixes only during the
>> last year of support). The 1.1.0 series is currently only receiving
>> security fixes and will go out of support on 11th September 2019. All
>> users of 1.0.2 and 1.1.0 are encouraged to upgrade to 1.1.1 as soon as
>> possible. The 0.9.8, 1.0.0 and 1.0.1 versions are now out of support
>> and should not be used.
>
> I know, everyone's going to groan hearing this, but maybe given the
> above it would make sense to upgrade to the openssl 1.1.0 series before
> Guix 1.0 gets out the door?

Indeed, I was under the assumption that 1.0 was still the stable
version, but apparently it’s not.

What do Leo and others think?

Thanks for the heads-up!

Ludo’.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Should we upgrade openssl?
  2019-04-16 20:17 ` Ludovic Courtès
@ 2019-04-17  6:09   ` Gábor Boskovits
  2019-04-17 12:28     ` Ludovic Courtès
  0 siblings, 1 reply; 7+ messages in thread
From: Gábor Boskovits @ 2019-04-17  6:09 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: Guix-devel

[-- Attachment #1: Type: text/plain, Size: 1605 bytes --]

Hello,

Ludovic Courtès <ludo@gnu.org> ezt írta (időpont: 2019. ápr. 16., K 22:17):

> Hello!
>
> Christopher Lemmer Webber <cwebber@dustycloud.org> skribis:
>
> > From the openssl website:
> >
> >> Note: The latest stable version is the 1.1.1 series. This is also our
> >> Long Term Support (LTS) version, supported until 11th September
> >> 2023. Our previous LTS version (1.0.2 series) will continue to be
> >> supported until 31st December 2019 (security fixes only during the
> >> last year of support). The 1.1.0 series is currently only receiving
> >> security fixes and will go out of support on 11th September 2019. All
> >> users of 1.0.2 and 1.1.0 are encouraged to upgrade to 1.1.1 as soon as
> >> possible. The 0.9.8, 1.0.0 and 1.0.1 versions are now out of support
> >> and should not be used.
> >
> > I know, everyone's going to groan hearing this, but maybe given the
> > above it would make sense to upgrade to the openssl 1.1.0 series before
> > Guix 1.0 gets out the door?
>
> Indeed, I was under the assumption that 1.0 was still the stable
> version, but apparently it’s not.
>
> What do Leo and others think?
>

I would go for the upgrade. As this is a change affecting lots of packages,
and this upgrade would allow us to reduce the chances to stuck with a
vulnerable version. I also suppose, that there areg- some changes on
core-updates we would like to merge anyways before 1.0, so if the upgrade
goes smoothly, then this is not a big loss of time. Wdyt?

>
> Thanks for the heads-up!
>
> Ludo’.
>

Best regards,
g_bor

>
>

[-- Attachment #2: Type: text/html, Size: 2521 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Should we upgrade openssl?
  2019-04-17  6:09   ` Gábor Boskovits
@ 2019-04-17 12:28     ` Ludovic Courtès
  2019-04-17 12:31       ` Gábor Boskovits
  2019-04-19 16:56       ` Leo Famulari
  0 siblings, 2 replies; 7+ messages in thread
From: Ludovic Courtès @ 2019-04-17 12:28 UTC (permalink / raw)
  To: Gábor Boskovits; +Cc: Guix-devel

Hi Gábor,

Gábor Boskovits <boskovits@gmail.com> skribis:

> I would go for the upgrade. As this is a change affecting lots of packages,
> and this upgrade would allow us to reduce the chances to stuck with a
> vulnerable version. I also suppose, that there areg- some changes on
> core-updates we would like to merge anyways before 1.0, so if the upgrade
> goes smoothly, then this is not a big loss of time. Wdyt?

Merging ‘core-updates’ is no longer an option for 1.0: I’m seriously
still aiming for around April 30th.  Let’s get our act together!

Likewise, I don’t think the OpenSSL upgrade can be merged on time.  But
that’s OK: we can start working on it and have it merged as soon as
possible, possibly with all of ‘core-updates’.

Thoughts?

Thanks,
Ludo’.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Should we upgrade openssl?
  2019-04-17 12:28     ` Ludovic Courtès
@ 2019-04-17 12:31       ` Gábor Boskovits
  2019-04-18 17:15         ` Ludovic Courtès
  2019-04-19 16:56       ` Leo Famulari
  1 sibling, 1 reply; 7+ messages in thread
From: Gábor Boskovits @ 2019-04-17 12:31 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: Guix-devel

[-- Attachment #1: Type: text/plain, Size: 1064 bytes --]

Hello,

Ludovic Courtès <ludo@gnu.org> ezt írta (időpont: 2019. ápr. 17., Sze
14:28):

> Hi Gábor,
>
> Gábor Boskovits <boskovits@gmail.com> skribis:
>
> > I would go for the upgrade. As this is a change affecting lots of
> packages,
> > and this upgrade would allow us to reduce the chances to stuck with a
> > vulnerable version. I also suppose, that there areg- some changes on
> > core-updates we would like to merge anyways before 1.0, so if the upgrade
> > goes smoothly, then this is not a big loss of time. Wdyt?
>
> Merging ‘core-updates’ is no longer an option for 1.0: I’m seriously
> still aiming for around April 30th.  Let’s get our act together!
>
Ok, that's clear.

>
> Likewise, I don’t think the OpenSSL upgrade can be merged on time.  But
> that’s OK: we can start working on it and have it merged as soon as
> possible, possibly with all of ‘core-updates’.
>
Do we have a list of actionable items we can work on to help?

>
> Thoughts?
>
> Thanks,
> Ludo’.
>
Best regards,
g_bor

>

[-- Attachment #2: Type: text/html, Size: 2040 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Should we upgrade openssl?
  2019-04-17 12:31       ` Gábor Boskovits
@ 2019-04-18 17:15         ` Ludovic Courtès
  0 siblings, 0 replies; 7+ messages in thread
From: Ludovic Courtès @ 2019-04-18 17:15 UTC (permalink / raw)
  To: Gábor Boskovits; +Cc: Guix-devel

Hi Gábor,

Gábor Boskovits <boskovits@gmail.com> skribis:

> Ludovic Courtès <ludo@gnu.org> ezt írta (időpont: 2019. ápr. 17., Sze

[...]

>> Likewise, I don’t think the OpenSSL upgrade can be merged on time.  But
>> that’s OK: we can start working on it and have it merged as soon as
>> possible, possibly with all of ‘core-updates’.
>>
> Do we have a list of actionable items we can work on to help?

‘core-updates’ currently fails to build Python 2, which prevents
evaluations from happening in Cuirass.

That said, I’d encourage you to focus on 1.0 first in the short term.
:-)

Thanks,
Ludo’.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Should we upgrade openssl?
  2019-04-17 12:28     ` Ludovic Courtès
  2019-04-17 12:31       ` Gábor Boskovits
@ 2019-04-19 16:56       ` Leo Famulari
  1 sibling, 0 replies; 7+ messages in thread
From: Leo Famulari @ 2019-04-19 16:56 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: Guix-devel

[-- Attachment #1: Type: text/plain, Size: 841 bytes --]

On Wed, Apr 17, 2019 at 02:28:13PM +0200, Ludovic Courtès wrote:
> Merging ‘core-updates’ is no longer an option for 1.0: I’m seriously
> still aiming for around April 30th.  Let’s get our act together!
> 
> Likewise, I don’t think the OpenSSL upgrade can be merged on time.  But
> that’s OK: we can start working on it and have it merged as soon as
> possible, possibly with all of ‘core-updates’.

I agree, it's not feasible to implement and test this OpenSSL upgrade
for an April 30th deployment. But we do need to do the upgrade during
2019, because OpenSSL 1.0.2 will become unsupported when this year ends.

It shouldn't be too bad because all the other distros are working on it
too, if they have not already finished the upgrade. At this point many
of the users have been adjusted to work with 1.1.1.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2019-04-19 16:56 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-04-15 14:10 Should we upgrade openssl? Christopher Lemmer Webber
2019-04-16 20:17 ` Ludovic Courtès
2019-04-17  6:09   ` Gábor Boskovits
2019-04-17 12:28     ` Ludovic Courtès
2019-04-17 12:31       ` Gábor Boskovits
2019-04-18 17:15         ` Ludovic Courtès
2019-04-19 16:56       ` Leo Famulari

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).