OpenSSL package updates

OpenSSL package updates

[Achim Gratz]

I have updated the recently released Cygwin packages with all upstream
patches from Fedora plus the patches for all CVE affecting version 1.0.2
since the last official version and changed the cygport files so they
build on AppVeyor.  The packages have been pushed to the respective
playground branches:

https://cygwin.com/git-cygwin-packages?p=git/cygwin-packages/openssl10.git;a=shortlog;h=refs/heads/playground
https://cygwin.com/git-cygwin-packages?p=git/cygwin-packages/openssl.git;a=shortlog;h=refs/heads/playground

I have not yet looked at the MingW64 libraries and I will not have time
next week to do any further work.  I might do an ITA later on when I
have everything completed.  I'd appreciate if someone would take a look
and test these builds in the meantime.

Brian's previous attempt on 1.1.1l would be here (until GC will remove it):

https://cygwin.com/git-cygwin-packages/?p=git/cygwin-packages/openssl.git;a=shortlog;h=65282b57e4b5c97134dd9f6332b99a6e1d44b05f


Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

SD adaptation for Waldorf microQ V2.22R2:
http://Synth.Stromeko.net/Downloads.html#WaldorfSDada

Re: OpenSSL package updates

[Achim Gratz]

Achim Gratz writes:
> I have updated the recently released Cygwin packages with all upstream
> patches from Fedora plus the patches for all CVE affecting version 1.0.2
> since the last official version and changed the cygport files so they
> build on AppVeyor.  The packages have been pushed to the respective
> playground branches:
>
> https://cygwin.com/git-cygwin-packages?p=git/cygwin-packages/openssl10.git;a=shortlog;h=refs/heads/playground
> https://cygwin.com/git-cygwin-packages?p=git/cygwin-packages/openssl.git;a=shortlog;h=refs/heads/playground

I've just updated the playground branches with the respective MinGW64
OpenSSL packages integrated (I needed to drop two patches from Fedora
for OpernSSL 1.0 because they were using an API not available on
MinGW64.

> I have not yet looked at the MingW64 libraries and I will not have time
> next week to do any further work.  I might do an ITA later on when I
> have everything completed.  I'd appreciate if someone would take a look
> and test these builds in the meantime.

So it turns out that there weren't any OpenSSL 1.1 packages for MinGW64
existing and so the OpenSSL 1.0 packages are still named *-openssl
instead of *-openssl10.  I haven't yet tried to build the 1.1 versdion
for MinGW64, but I'd tend to do the rename first and then clobber the
*-openssl name for the newer version.  How was that handled for the
Cygwin packages?


Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

Factory and User Sound Singles for Waldorf Q+, Q and microQ:
http://Synth.Stromeko.net/Downloads.html#WaldorfSounds

Re: OpenSSL package updates

[Corinna Vinschen]

On Nov  6 16:58, Achim Gratz wrote:
> Achim Gratz writes:
> > I have updated the recently released Cygwin packages with all upstream
> > patches from Fedora plus the patches for all CVE affecting version 1.0.2
> > since the last official version and changed the cygport files so they
> > build on AppVeyor.  The packages have been pushed to the respective
> > playground branches:
> >
> > https://cygwin.com/git-cygwin-packages?p=git/cygwin-packages/openssl10.git;a=shortlog;h=refs/heads/playground
> > https://cygwin.com/git-cygwin-packages?p=git/cygwin-packages/openssl.git;a=shortlog;h=refs/heads/playground
> 
> I've just updated the playground branches with the respective MinGW64
> OpenSSL packages integrated (I needed to drop two patches from Fedora
> for OpernSSL 1.0 because they were using an API not available on
> MinGW64.
> 
> > I have not yet looked at the MingW64 libraries and I will not have time
> > next week to do any further work.  I might do an ITA later on when I
> > have everything completed.  I'd appreciate if someone would take a look
> > and test these builds in the meantime.
> 
> So it turns out that there weren't any OpenSSL 1.1 packages for MinGW64
> existing and so the OpenSSL 1.0 packages are still named *-openssl
> instead of *-openssl10.  I haven't yet tried to build the 1.1 versdion
> for MinGW64, but I'd tend to do the rename first and then clobber the
> *-openssl name for the newer version.  How was that handled for the
> Cygwin packages?

That started with OpenSSL 0.9.5 I think, I'm not sure anymore.  You
should be able to do this in a single step, as long as you craft the
dependencies so that an update of the openssl package pulls in the
openssl10 package with the old lib.  As soon as all dependent distro
packages are updated, you can just drop the dependency and then the old
package entirely.


Corinna

Re: OpenSSL package updates

[Achim Gratz]

Corinna Vinschen via Cygwin-apps writes:
> That started with OpenSSL 0.9.5 I think, I'm not sure anymore.  You
> should be able to do this in a single step, as long as you craft the
> dependencies so that an update of the openssl package pulls in the
> openssl10 package with the old lib.  As soon as all dependent distro
> packages are updated, you can just drop the dependency and then the old
> package entirely.

I was hoping there was a precedent we could use for this.

The idea would be that the old openssl dependencies are all converted to
point to mingw64-*-openssl10 instead and the old packages either renamed
or removed before the (final?) update to mingw64-*-openssl-1.0.2u+za.
Then drop in mingw64-*-openssl-1.1.1l openssl, which most packages that
are still actively maintained would probably need anyway during one of
their next updates.

The packages that are affected:

mingw64-*-botan
mingw64-*-curl
mingw64-*-gnome-vfs
mingw64-*-gstreamer
mingw64-*-libevent
mingw64-*-libgda
mingw64-*-liboauth
mingw64-*-libshout
mingw64-*-libssl2
mingw64-*-libzip
mingw64-*-mariadb-connector
mingw64-*-neon
mingw64-*-nghttp
mingw64-*-opusfile
mingw64-*-postgresql
mingw64-*-qca
mingw64-*-qt4
mingw64-*-qt5-base
mingw64-*-glib2
mingw64-*-unbound



Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

SD adaptation for Waldorf Blofeld V1.15B11:
http://Synth.Stromeko.net/Downloads.html#WaldorfSDada

Re: OpenSSL package updates

[Corinna Vinschen]

On Nov  6 20:59, Achim Gratz wrote:
> Corinna Vinschen via Cygwin-apps writes:
> > That started with OpenSSL 0.9.5 I think, I'm not sure anymore.  You
> > should be able to do this in a single step, as long as you craft the
> > dependencies so that an update of the openssl package pulls in the
> > openssl10 package with the old lib.  As soon as all dependent distro
> > packages are updated, you can just drop the dependency and then the old
> > package entirely.
> 
> I was hoping there was a precedent we could use for this.
> 
> The idea would be that the old openssl dependencies are all converted to
> point to mingw64-*-openssl10 instead and the old packages either renamed
> or removed before the (final?) update to mingw64-*-openssl-1.0.2u+za.
> Then drop in mingw64-*-openssl-1.1.1l openssl, which most packages that
> are still actively maintained would probably need anyway during one of
> their next updates.

You create a new mingw-openssl10 package set, or even just a single
package only providing the openssl 1.0 DLLs, i.e. mingw-libopenssl100.

Then you create the mingw-openssl packages with the new 1.1 version.
The mingw-libopenssl110 package gets an extra dependency to
mingw-libopenssl100.  That will work OOTB without having to fix the
dependent package hints.

The old openssl packages providing the previous 1.0 versions should
better get removed, I guess.

In a second step the dependencies in the below packages could be changed
to require the mingw-libopenssl100 package.  At least that would be
better for bookkeeping.  Does that require manual intervention on the
server?  I'm not sure, Jon would know this better.

Corinna


> 
> The packages that are affected:
> 
> mingw64-*-botan
> mingw64-*-curl
> mingw64-*-gnome-vfs
> mingw64-*-gstreamer
> mingw64-*-libevent
> mingw64-*-libgda
> mingw64-*-liboauth
> mingw64-*-libshout
> mingw64-*-libssl2
> mingw64-*-libzip
> mingw64-*-mariadb-connector
> mingw64-*-neon
> mingw64-*-nghttp
> mingw64-*-opusfile
> mingw64-*-postgresql
> mingw64-*-qca
> mingw64-*-qt4
> mingw64-*-qt5-base
> mingw64-*-glib2
> mingw64-*-unbound

Re: OpenSSL package updates

[Achim Gratz]

Corinna Vinschen via Cygwin-apps writes:
> You create a new mingw-openssl10 package set, or even just a single
> package only providing the openssl 1.0 DLLs, i.e. mingw-libopenssl100.

I don't really want to create even more packages…

> Then you create the mingw-openssl packages with the new 1.1 version.

That doesn't work as it breaks the dependency chains.  The packages
depending on mingw64-*-openssl would trigger an update to a different
ABI, not a replacement for the old one.  So they'd all have to be
rebuilt (which  isn't going to happen any time soon).

> The mingw-libopenssl110 package gets an extra dependency to
> mingw-libopenssl100.  That will work OOTB without having to fix the
> dependent package hints.

You meant to say something else, but I'm not sure what.  :-)

> The old openssl packages providing the previous 1.0 versions should
> better get removed, I guess.

I have no problem with that idea as long as the previous packages can be
reinstated for inspection if necessary.

> In a second step the dependencies in the below packages could be changed
> to require the mingw-libopenssl100 package.  At least that would be
> better for bookkeeping.  Does that require manual intervention on the
> server?  I'm not sure, Jon would know this better.

Yes, all the hint files would need to get edited.


Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

Wavetables for the Waldorf Blofeld:
http://Synth.Stromeko.net/Downloads.html#BlofeldUserWavetables

Re: OpenSSL package updates

[Jon Turney]

On 07/11/2021 09:44, Achim Gratz wrote:
> Corinna Vinschen via Cygwin-apps writes:
> 
> I have no problem with that idea as long as the previous packages can be
> reinstated for inspection if necessary.
> 
>> In a second step the dependencies in the below packages could be changed
>> to require the mingw-libopenssl100 package.  At least that would be
>> better for bookkeeping.  Does that require manual intervention on the
>> server?  I'm not sure, Jon would know this better.
> 
> Yes, all the hint files would need to get edited.

Stop!

We don't put the soversion into cross-package names.

I don't think we are the only distro to do that.

I don't think it makes any sense to do so, as there's no executables in 
other cross-packages which use that shared library.

Any user cross-built executables will need to be rebuilt after this 
update (and the names of any shared libraries distributed with the 
cross-built executable updated)

I get that this is trying to avoid having to rebuild all the dependent 
cross-packages right now, but they need to be rebuilt eventually, and 
making stuff more complex just for that temporarily state doesn't seem 
useful.