From mboxrd@z Thu Jan 1 00:00:00 1970 From: =?UTF-8?Q?G=C3=A1bor_Boskovits?= Subject: Re: Should we upgrade openssl? Date: Wed, 17 Apr 2019 08:09:22 +0200 Message-ID: References: <87wojvmk9n.fsf@dustycloud.org> <87r2a1d7s3.fsf@gnu.org> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="000000000000de1bc20586b3badd" Return-path: Received: from eggs.gnu.org ([209.51.188.92]:57544) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1hGdlN-0007Yh-MK for guix-devel@gnu.org; Wed, 17 Apr 2019 02:09:42 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hGdlM-00014U-Jc for guix-devel@gnu.org; Wed, 17 Apr 2019 02:09:41 -0400 In-Reply-To: <87r2a1d7s3.fsf@gnu.org> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: =?UTF-8?Q?Ludovic_Court=C3=A8s?= Cc: Guix-devel --000000000000de1bc20586b3badd Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hello, Ludovic Court=C3=A8s ezt =C3=ADrta (id=C5=91pont: 2019. =C3= =A1pr. 16., K 22:17): > Hello! > > Christopher Lemmer Webber skribis: > > > From the openssl website: > > > >> Note: The latest stable version is the 1.1.1 series. This is also our > >> Long Term Support (LTS) version, supported until 11th September > >> 2023. Our previous LTS version (1.0.2 series) will continue to be > >> supported until 31st December 2019 (security fixes only during the > >> last year of support). The 1.1.0 series is currently only receiving > >> security fixes and will go out of support on 11th September 2019. All > >> users of 1.0.2 and 1.1.0 are encouraged to upgrade to 1.1.1 as soon as > >> possible. The 0.9.8, 1.0.0 and 1.0.1 versions are now out of support > >> and should not be used. > > > > I know, everyone's going to groan hearing this, but maybe given the > > above it would make sense to upgrade to the openssl 1.1.0 series before > > Guix 1.0 gets out the door? > > Indeed, I was under the assumption that 1.0 was still the stable > version, but apparently it=E2=80=99s not. > > What do Leo and others think? > I would go for the upgrade. As this is a change affecting lots of packages, and this upgrade would allow us to reduce the chances to stuck with a vulnerable version. I also suppose, that there areg- some changes on core-updates we would like to merge anyways before 1.0, so if the upgrade goes smoothly, then this is not a big loss of time. Wdyt? > > Thanks for the heads-up! > > Ludo=E2=80=99. > Best regards, g_bor > > --000000000000de1bc20586b3badd Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hello,

Ludovic Court=C3=A8s <ludo@gnu.org> ezt =C3=ADrta (id=C5=91pont: 2019. =C3=A1pr. = 16., K 22:17):
Hello!

Christopher Lemmer Webber <cwebber@dustycloud.org> skribis:
> From the openssl website:
>
>> Note: The latest stable version is the 1.1.1 series. This is also = our
>> Long Term Support (LTS) version, supported until 11th September >> 2023. Our previous LTS version (1.0.2 series) will continue to be<= br> >> supported until 31st December 2019 (security fixes only during the=
>> last year of support). The 1.1.0 series is currently only receivin= g
>> security fixes and will go out of support on 11th September 2019. = All
>> users of 1.0.2 and 1.1.0 are encouraged to upgrade to 1.1.1 as soo= n as
>> possible. The 0.9.8, 1.0.0 and 1.0.1 versions are now out of suppo= rt
>> and should not be used.
>
> I know, everyone's going to groan hearing this, but maybe given th= e
> above it would make sense to upgrade to the openssl 1.1.0 series befor= e
> Guix 1.0 gets out the door?

Indeed, I was under the assumption that 1.0 was still the stable
version, but apparently it=E2=80=99s not.

What do Leo and others think?

I would go for the upgrade. As this is a chang= e affecting lots of packages, and this upgrade would allow us to reduce the= chances to stuck with a vulnerable version. I also suppose, that there are= g- some changes on core-updates we would like to merge anyways before 1.0, = so if the upgrade goes smoothly, then this is not a big loss of time. Wdyt?=

Thanks for the heads-up!

Ludo=E2=80=99.

Best regards,
g_bor

--000000000000de1bc20586b3badd--