[OE-core] openssl10 unusable for many components
Khem Raj
raj.khem at gmail.com
Fri Aug 18 05:56:25 UTC 2017
On Thu, Aug 17, 2017 at 4:54 AM, Alexander Kanavin
<alexander.kanavin at linux.intel.com> wrote:
> On 08/17/2017 02:46 PM, Martin Jansa wrote:
>>
>> I meant "real-world" as builds for any products on the market (which are
>> likely using one of the failing recipes) - e.g. in LGE we have many more
>> failures over all internal components, so I'll just undo this openssl switch
>> (renaming openssl_1.1 as openssl11 and openssl11_1.0 back as openssl_1.0
>> with PROVIDES openssl11). We won't be able to use openssl-1.1 for long time
>> anyway, because there are some 3rd party component which are difficult (or
>> expensive) to get rebuilt against new openssl ABI, but we might be
>> interested in some other improvements in oe-core/master.
>
>
> Yes, this will work for you as a quick fix, but it is merely postponing
> dealing with the issue properly to a later date. Make a plan for it and keep
> in mind that openssl 1.0 goes out of upstream support at the end of 2019.
> Given its history of major security vulnerabilities, it will be removed from
> oe-core well before that time, so that it won't linger in supported YP
> releases.
>
I was trying nodejs and it seems its also broken by this openssl
upgrade. Meta-oe alone has amost 50 recipes that are broken. there are
hundreds of other layers.
Many large packages in external layers are now broken, and the fact
that openssl10
is almost useless since some package will pull in openssl11 and cause
conflicts. This
is not a a good solution at least it seems to early for release. It
might take a bit for packages to get working with openssl11, We should
have carefully thought and considered postponing using it as default
until next release ( april 2018). Its fine to keep it in if needed but
keep openssl 1.0 as default preferred version, I don't think whole
ecosystem is ready for it and we don't have man power to fix
everything. This alone has a potential to make
October release quite weak as far as external layers are concerned
If we want to keep openssl 1.1 in Oe-Core as default its fine, then
lets provide a way to downgrade it instead of openssl10 recipe which
is sub-optimal since OE does build from
source and not binary packages where such a solution might work.
More information about the Openembedded-core
mailing list