[OE-core] openssl10 unusable for many components
Mark Hatle
mark.hatle at windriver.com
Fri Aug 18 17:56:56 UTC 2017
On 8/18/17 12:29 PM, Martin Jansa wrote:
> Even with that patch to rename openssl10 back to openssl we still need to solve
> the openssl-native which wasn't reverted back to 1.0.
>
> Upstream nodejs isn't going to be openssl-1.1 for a bit longer as explained:
> https://github.com/nodejs/node/pull/14761
I wanted to pull out a specific comment from the above link that shows one of
the reasons why OpenSSL 1.1 support is delayed by many:
7 days ago: shigeki commented:
> We're also waiting for FIPS support of 1.1.x. They are now working on it as https://www.openssl.org/blog/blog/2017/07/25/fips/.> ...
Until the OpenSSL 1.1.x FIPS work is further along, a lot of projects (and major
distributions) are going to wait to deploy it.
--Mark
> https://github.com/nodejs/node/pull/11828
> so it would make sense to revert native and nativesdk versions as well - if it
> isn't done in oe-core, I'll do it in our own layers to keep the builds going.
>
> On Fri, Aug 18, 2017 at 4:41 PM, Khem Raj <raj.khem at gmail.com
> <mailto:raj.khem at gmail.com>> wrote:
>
> On Fri, Aug 18, 2017 at 3:53 AM, Alexander Kanavin
> <alexander.kanavin at linux.intel.com
> <mailto:alexander.kanavin at linux.intel.com>> wrote:
> > On 08/18/2017 08:56 AM, Khem Raj wrote:
> >
> >> I was trying nodejs and it seems its also broken by this openssl
> >> upgrade. Meta-oe alone has amost 50 recipes that are broken. there are
> >> hundreds of other layers.
> >> Many large packages in external layers are now broken, and the fact
> >> that openssl10
> >> is almost useless since some package will pull in openssl11 and cause
> >> conflicts. This
> >> is not a a good solution at least it seems to early for release. It
> >> might take a bit for packages to get working with openssl11, We should
> >> have carefully thought and considered postponing using it as default
> >> until next release ( april 2018). Its fine to keep it in if needed but
> >> keep openssl 1.0 as default preferred version, I don't think whole
> >> ecosystem is ready for it and we don't have man power to fix
> >> everything. This alone has a potential to make
> >> October release quite weak as far as external layers are concerned
> >
> >
> > FWIW, nodejs from meta-oe does build just fine with openssl10 dependency.
>
> no it doesnt try building nodejs-native.
>
> So
> > it's not exactly useless. And no one has established how many of the other
> > 50 packages can be fixed by either doing that, or updating them to latest
> > upstream releases.
>
> Thats not going to solve everything. Neither does pointing to fedora patches.
>
> >
> > I'll send a patch that renames openssl10 recipe back to openssl and sets
> > that as a preferred version, so anyone can experiment with 1.1 without
> > widespread breakage.
> >
> > But at the start of next development cycle this will be reverted back; no
> > more complaining then please, we have to do this at some point, and just
> > after a new cycle has started is as good time as it gets.
>
> Just putting random deadlines is not going to solve this, there has to
> be some look
> at upstream packages and other distros switching to openssl11 and
> dropping openssl10
> completely. People have fielded products to support and they need some
> assurance of
> forward path, their ecosystem might involve a lot larger package set
> then just oe-core.
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core at lists.openembedded.org
> <mailto:Openembedded-core at lists.openembedded.org>
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
> <http://lists.openembedded.org/mailman/listinfo/openembedded-core>
>
>
>
>
More information about the Openembedded-core
mailing list