Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove OpenSSL 1.0 #46876

Merged
merged 1 commit into from Nov 21, 2019

Conversation

@fxcoudert
Copy link
Member

fxcoudert commented Nov 18, 2019

OpenSSL 1.0 will reach EOL on 2019-12-31

  • See #46454 for the work that happened before this
  • A lot of formulas were updated, or in some cases patched, in order to make them compatible with OpenSSL 1.1
  • virtuoso is the last remaining one, it's not in a good shape, and has medium-low install count (17 installs per month) openlink/virtuoso-opensource#583 (comment)

Will only test this PR once #46875 is merged

@fxcoudert

This comment has been minimized.

Copy link
Member Author

fxcoudert commented Nov 18, 2019

Question for fellow @Homebrew/core maintainers: do we wait to remove it at the last minute (on 2019-12-31)?

I say let's do it now, to avoid accidental reuse (like we recently merged 3 new formulas with openssl dependency, without noticing)

@fxcoudert

This comment has been minimized.

Copy link
Member Author

fxcoudert commented Nov 18, 2019

@BrewTestBot test this please

@Bo98

This comment has been minimized.

Copy link
Member

Bo98 commented Nov 18, 2019

@fxcoudert

This comment has been minimized.

Copy link
Member Author

fxcoudert commented Nov 18, 2019

@Bo98 I'm happy with a Debian patch if it applies cleanly. Could you open a PR?

@MikeMcQuaid

This comment has been minimized.

Copy link
Member

MikeMcQuaid commented Nov 18, 2019

@Bo98 and can you ensure the Debian patch was submitted upstream and add a comment to the upstream submission? Thanks ❤️

@Bo98

This comment has been minimized.

Copy link
Member

Bo98 commented Nov 18, 2019

@fxcoudert I'll test it out shortly.

@MikeMcQuaid Debian say they forwarded it via openlink/virtuoso-opensource#583, but that's not strictly true since there's small differences. I will look and see what those differences are and mention it in a comment upstream.

@Bo98

This comment has been minimized.

Copy link
Member

Bo98 commented Nov 18, 2019

I have left a review upstream noting the differences. See the linked pull request above for that.

I've applied the patches to Homebrew and opened a pull request at #46885.

@issyl0 issyl0 mentioned this pull request Nov 18, 2019
21 of 21 tasks complete
Copy link
Member

chenrui333 left a comment

👍 💯

@Bo98

This comment has been minimized.

Copy link
Member

Bo98 commented Nov 19, 2019

Interesting pgloader test issue spotted:

==> /usr/local/Cellar/pgloader/3.6.1/bin/pgloader /private/tmp/pgloader-test-201

Type HELP for debugger help, or (SB-EXT:EXIT) to exit from SBCL.

restarts (invokable by number or by possibly-abbreviated name):
  0: [CONTINUE       ] Skip this shared object and continue.
  1: [RETRY          ] Retry loading this shared object.
  2: [CHANGE-PATHNAME] Specify a different pathname to load the shared object from.
  3: [ABORT          ] Exit from the current thread.

(SB-SYS:DLOPEN-OR-LOSE #S(SB-ALIEN::SHARED-OBJECT :PATHNAME #P"/usr/local/opt/openssl/lib/libcrypto.dylib" :NAMESTRING "/usr/local/opt/openssl/lib/libcrypto.dylib" :HANDLE NIL :DONT-SAVE NIL))
0] ABORT
Last 15 lines from /Users/bo/Library/Logs/Homebrew/pgloader/test.03.pgloader:
2019-11-19 01:49:46 +0000

/usr/local/Cellar/pgloader/3.6.1/bin/pgloader
/private/tmp/pgloader-test-20191119-31326-2cy68d/test.load


debugger invoked on a SIMPLE-ERROR in thread
#<THREAD "main thread" RUNNING {10005885B3}>:
  Error opening shared object "/usr/local/opt/openssl/lib/libcrypto.dylib":
  dlopen(/usr/local/opt/openssl/lib/libcrypto.dylib, 10): image not found.
@fxcoudert fxcoudert force-pushed the fxcoudert:openssl branch from 66b20fa to 5c3de7d Nov 19, 2019
@fxcoudert

This comment has been minimized.

Copy link
Member Author

fxcoudert commented Nov 19, 2019

Rebased to remove the Virtuoso changes, thanks to the excellent work of @Bo98

@Bo98 where did you spot that pgloader issue?

@MikeMcQuaid

This comment has been minimized.

Copy link
Member

MikeMcQuaid commented Nov 19, 2019

I have left a review upstream noting the differences. See the linked pull request above for that.

I've applied the patches to Homebrew and opened a pull request at #46885.

Perfect, thanks!

@Bo98

This comment has been minimized.

Copy link
Member

Bo98 commented Nov 19, 2019

@fxcoudert Initially in the CI in the PostgreSQL 12.1 pull request, but I’ve reproduced it locally as well (without any changes).

@Bo98

This comment has been minimized.

Copy link
Member

Bo98 commented Nov 19, 2019

Fix here: #46909.

@Bo98

This comment has been minimized.

Copy link
Member

Bo98 commented Nov 20, 2019

One possibility to throw on the table, if developers still potentially needing this is a concern, is to move it to openssl@1.0 for its remaining days.

@igas
igas approved these changes Nov 21, 2019
@fxcoudert fxcoudert merged commit 0349a7c into Homebrew:master Nov 21, 2019
1 check passed
1 check passed
continuous-integration/jenkins/ghprb Build finished.
Details
@fxcoudert fxcoudert deleted the fxcoudert:openssl branch Nov 21, 2019
@Bo98

This comment has been minimized.

Copy link
Member

Bo98 commented Nov 21, 2019

🍾

Time to brew uninstall openssl if you haven't already.

@michaelblyons

This comment has been minimized.

Copy link

michaelblyons commented Nov 21, 2019

Time to brew uninstall openssl if you haven't already.

I get something like this:

$ brew uninstall openssl
Error: Refusing to uninstall /usr/local/Cellar/openssl/1.0.2t
because it is required by cairo, gnupg, ..., and wget, which are currently installed.
You can override this and force removal with:
  brew uninstall --ignore-dependencies openssl

Interestingly, wget claims not to need it:

$ brew deps wget
gettext
libidn2
libunistring
openssl@1.1

Is there a reason I get the warning?

@Bo98

This comment has been minimized.

Copy link
Member

Bo98 commented Nov 21, 2019

Yes, you aren't alone: https://discourse.brew.sh/t/installed-formulae-depend-on-openssl-diverging-from-spec-dependency-on-openssl-1-1/6294/2

brew reinstall on those formula will fix it - but clearly you shouldn't need to.

@MikeMcQuaid Any thoughts on this issue?

@MikeMcQuaid

This comment has been minimized.

Copy link
Member

MikeMcQuaid commented Nov 22, 2019

Is there a reason I get the warning?

Yes, those applications are linked against openssl and you should reinstall them. brew deps --installed wget may show the right versions here.

@MikeMcQuaid

This comment has been minimized.

Copy link
Member

MikeMcQuaid commented Nov 22, 2019

In short: dependencies declared in a formula may not match those after installation (which are based on the actual linkage which may vary depending on the build system of the application and annoying opportunistic linkage).

@MikeMcQuaid

This comment has been minimized.

Copy link
Member

MikeMcQuaid commented Nov 22, 2019

Instead of brew deps for this particular case you may find brew linkage wget etc. more illuminating.

convenient added a commit to AmpersandHQ/homebrew-php that referenced this pull request Nov 22, 2019
@dgholz

This comment has been minimized.

Copy link

dgholz commented Nov 22, 2019

Hello, I've got a need for openssl at version 1.0 (rebuilding binaries from historical sources). It would be nice to have the formula still available even past its end-of-life, even if no other formulae require it.

@fxcoudert

This comment has been minimized.

Copy link
Member Author

fxcoudert commented Nov 22, 2019

@dgholz We're definitely not shipping unmaintained software (https://docs.brew.sh/Acceptable-Formulae), especially one that known for its security risks. But due to the modular nature of Homebrew, it's very easy to maintain a formula in your own tap: https://docs.brew.sh/How-to-Create-and-Maintain-a-Tap (and you can even provide bottles for it!)

@MikeMcQuaid

This comment has been minimized.

Copy link
Member

MikeMcQuaid commented Nov 22, 2019

@dgholz brew extract should make this very easy for you to do.

@dgholz

This comment has been minimized.

Copy link

dgholz commented Nov 22, 2019

Thanks, running brew new-tap dgholz/old-openssl <repo> & then brew extract --version=1.0.2t openssl dgholz/old-openssl lets me keep my crusty old builds going.

@Homebrew Homebrew deleted a comment from trmaphi Nov 27, 2019
@MikeMcQuaid

This comment has been minimized.

Copy link
Member

MikeMcQuaid commented Nov 27, 2019

The supported way to still use OpenSSL 1.0 is to use brew extract. brew installing from a URL is insecure and will break.

@Homebrew Homebrew locked as resolved and limited conversation to collaborators Nov 27, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
7 participants
You can’t perform that action at this time.