Version of OpenSSL included in upcoming 14.0-RELEASE

Reply: The Doctor : "Re: Version of OpenSSL included in upcoming 14.0-RELEASE"
Reply: User Ngor : "Re: Version of OpenSSL included in upcoming 14.0-RELEASE"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Yasuhiro Kimura <yasu_at_FreeBSD.org>
Date: Sat, 28 Jan 2023 07:34:14 UTC

Dear developers of base system,

Though release process of 13.2-RELEASE has just started, please let me
talk about one more next one.

According to the initial schedule of 14.0-RELEASE, release process
will start on April 25 and 14.0-RELEASE will be released on July
17.

https://www.freebsd.org/releases/14.0R/schedule/

So it means release process will start about 3 months later and
14.0-RELEASE will be released about 5.5 months later. And I would like
to ask a question.

Is it planned (or considered, scheduled, etc.) to upgrade version of
OpenSSL included in 14-CURRENT from 1.1.1 to 3.0?

According to the "Release Strategy" page of upstream
(https://www.openssl.org/policies/releasestrat.html), OpenSSL 1.1.1
will reach its EoL on September 11, 2023 and OpenSSL 3.0 will be
supported until September 7, 2026. Since EoL of OpenSSL 1.1.1 is only
after 2 months of the release of 14.0-RELEASE, it doesn't seems
realistic to include OpenSSL 1.1.1 in 14.0-RELEASE and upgrading to
OpenSSL 3.0 is inevitable.

Though I'm not familiar with the incompatibility between OpenSSL 1.1.1
and 3.0, I believe it is too optimistic to regard that build of
14-CURRENT succeeds without any error just by updating
/usr/src/crypto/openssl from 1.1.1 to 3.0. So it will take for a while
(a few weeks?) to finish it.

And it also affects build of ports. To be honest, it is rather my main
concern as ports committer. I checked Bugzilla and found following PR.

Bug 258413 [exp-run] OpenSSL 3.0 upgrade
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=258413

Though it intends to check how many ports fails to be built if
security/openssl is updated to 3.0 and 'DEFAULT_VERSIONS+= openssl' is
set in /etc/make.conf, it is also applicable to after OpenSSL in
14-CURRENT is updated to 3.0. And according to the result of exp-run,
it doesn't seem to be easy job to adapt ports tree to OpenSSL 3.0. So
it probably will take longer than updating base system.

And considering these points, 3 months are not necessarily so long. So
I asked a question as above.

Please let me know current status about it.

Best Regards.

---
Yasuhiro Kimura