[OmniOS-discuss] OpenSSL futures

Peter Tribble peter.tribble at gmail.com
Mon Apr 4 21:15:12 UTC 2016


On Thu, Mar 31, 2016 at 3:40 PM, Dan McDonald <danmcd at omniti.com> wrote:

> As I'm updating and checking packages for r151018's release, I notice that
> OpenSSL is rapidly approaching a 1.1.0 release.  I visited their Release
> Strategy page:
>
>         http://openssl.org/policies/releasestrat.html
>
> And noticed that 1.0.2 is LTS until 2019.  OTOH, 1.1.x will likely become
> LTS for some x,


For x > 0 and as yet unannounced. Although the policy tells us roughly when
the next LTS is announced, end 2018 would seem reasonable.

What this tells me is to stick to 1.0.2 as the supported branch until the
next LTS
is decided. I'm presuming everything is going to be properly versioned so
that
one can ship two versions of the shared library in parallel for a
transitional period.

(Hm. Sounds rather like the libpng story in terms of evolving the API by
making
structures opaque. Although libpng changes the library name as well as the
version number of the .so. But my experience there was that the transition
was pretty ugly.)


> and there's also LibreSSL...
>

Not to mention PolarSSL and WolfSSL and ...

None of which are binary compatible with the current openssl (by which I
mean
you can use them as shared-library replacements). Although recent events
have
shown that openssl releases aren't quite as binary compatible as one would
like.


> I'm starting this thread to hear what the community has to say about where
> OmniOS should go w.r.t. its OpenSSL release.  I have internal customers
> too, of course, but I'll engage them separately.  We need to have an
> OpenSSL because illumos requires one.  We *could* do the SmartOS thing and
> keep our own SUNW/OMNI*...() api set, though.
>

They have to play those games because they ship 2 different openssl
instances,
though. (One with the platform, one via pkgsrc or whatever.) If you hide
the internal
copy, you still have to manage (or someone does, at any rate) compatibility
and
releases of the public copy. The problem doesn't go away, you just sweep it
under
someone else's carpet.

Users will have binaries linked against the existing openssl libraries, and
those
need to continue to run.


> I can't guarantee what I'll ultimately decide, but knowing what people
> think can't hurt.
>

Thanks for asking!

-- 
-Peter Tribble
http://www.petertribble.co.uk/ - http://ptribble.blogspot.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omniosce.org/ml-archive/attachments/20160404/b3ebf8b1/attachment-0001.html>


More information about the OmniOS-discuss mailing list