Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove OpenSSL 1.0 #46876

Merged
merged 1 commit into from Nov 21, 2019
Merged

Remove OpenSSL 1.0 #46876

merged 1 commit into from Nov 21, 2019

Conversation

fxcoudert
Copy link
Member

@fxcoudert fxcoudert commented Nov 18, 2019

OpenSSL 1.0 will reach EOL on 2019-12-31

  • See #46454 for the work that happened before this
  • A lot of formulas were updated, or in some cases patched, in order to make them compatible with OpenSSL 1.1
  • virtuoso is the last remaining one, it's not in a good shape, and has medium-low install count (17 installs per month) openlink/virtuoso-opensource#583 (comment)

Will only test this PR once #46875 is merged

@fxcoudert fxcoudert added marked for removal/rejection maintainer feedback labels Nov 18, 2019
@fxcoudert
Copy link
Member Author

@fxcoudert fxcoudert commented Nov 18, 2019

Question for fellow @Homebrew/core maintainers: do we wait to remove it at the last minute (on 2019-12-31)?

I say let's do it now, to avoid accidental reuse (like we recently merged 3 new formulas with openssl dependency, without noticing)

@fxcoudert
Copy link
Member Author

@fxcoudert fxcoudert commented Nov 18, 2019

@BrewTestBot test this please

@Bo98
Copy link
Member

@Bo98 Bo98 commented Nov 18, 2019

@fxcoudert
Copy link
Member Author

@fxcoudert fxcoudert commented Nov 18, 2019

@Bo98 I'm happy with a Debian patch if it applies cleanly. Could you open a PR?

@MikeMcQuaid
Copy link
Member

@MikeMcQuaid MikeMcQuaid commented Nov 18, 2019

@Bo98 and can you ensure the Debian patch was submitted upstream and add a comment to the upstream submission? Thanks ❤️

@Bo98
Copy link
Member

@Bo98 Bo98 commented Nov 18, 2019

@fxcoudert I'll test it out shortly.

@MikeMcQuaid Debian say they forwarded it via openlink/virtuoso-opensource#583, but that's not strictly true since there's small differences. I will look and see what those differences are and mention it in a comment upstream.

@Bo98
Copy link
Member

@Bo98 Bo98 commented Nov 18, 2019

I have left a review upstream noting the differences. See the linked pull request above for that.

I've applied the patches to Homebrew and opened a pull request at #46885.

Copy link
Member

@chenrui333 chenrui333 left a comment

👍 💯

@Bo98
Copy link
Member

@Bo98 Bo98 commented Nov 19, 2019

Interesting pgloader test issue spotted:

==> /usr/local/Cellar/pgloader/3.6.1/bin/pgloader /private/tmp/pgloader-test-201

Type HELP for debugger help, or (SB-EXT:EXIT) to exit from SBCL.

restarts (invokable by number or by possibly-abbreviated name):
  0: [CONTINUE       ] Skip this shared object and continue.
  1: [RETRY          ] Retry loading this shared object.
  2: [CHANGE-PATHNAME] Specify a different pathname to load the shared object from.
  3: [ABORT          ] Exit from the current thread.

(SB-SYS:DLOPEN-OR-LOSE #S(SB-ALIEN::SHARED-OBJECT :PATHNAME #P"/usr/local/opt/openssl/lib/libcrypto.dylib" :NAMESTRING "/usr/local/opt/openssl/lib/libcrypto.dylib" :HANDLE NIL :DONT-SAVE NIL))
0] ABORT
Last 15 lines from /Users/bo/Library/Logs/Homebrew/pgloader/test.03.pgloader:
2019-11-19 01:49:46 +0000

/usr/local/Cellar/pgloader/3.6.1/bin/pgloader
/private/tmp/pgloader-test-20191119-31326-2cy68d/test.load


debugger invoked on a SIMPLE-ERROR in thread
#<THREAD "main thread" RUNNING {10005885B3}>:
  Error opening shared object "/usr/local/opt/openssl/lib/libcrypto.dylib":
  dlopen(/usr/local/opt/openssl/lib/libcrypto.dylib, 10): image not found.

@fxcoudert
Copy link
Member Author

@fxcoudert fxcoudert commented Nov 19, 2019

Rebased to remove the Virtuoso changes, thanks to the excellent work of @Bo98

@Bo98 where did you spot that pgloader issue?

@MikeMcQuaid
Copy link
Member

@MikeMcQuaid MikeMcQuaid commented Nov 19, 2019

I have left a review upstream noting the differences. See the linked pull request above for that.

I've applied the patches to Homebrew and opened a pull request at #46885.

Perfect, thanks!

@Bo98
Copy link
Member

@Bo98 Bo98 commented Nov 19, 2019

@fxcoudert Initially in the CI in the PostgreSQL 12.1 pull request, but I’ve reproduced it locally as well (without any changes).

@Bo98
Copy link
Member

@Bo98 Bo98 commented Nov 19, 2019

Fix here: #46909.

@Bo98
Copy link
Member

@Bo98 Bo98 commented Nov 20, 2019

One possibility to throw on the table, if developers still potentially needing this is a concern, is to move it to openssl@1.0 for its remaining days.

igas
igas approved these changes Nov 21, 2019
@fxcoudert fxcoudert merged commit 0349a7c into Homebrew:master Nov 21, 2019
1 check passed
@fxcoudert fxcoudert deleted the openssl branch Nov 21, 2019
@Bo98
Copy link
Member

@Bo98 Bo98 commented Nov 21, 2019

🍾

Time to brew uninstall openssl if you haven't already.

@michaelblyons
Copy link

@michaelblyons michaelblyons commented Nov 21, 2019

Time to brew uninstall openssl if you haven't already.

I get something like this:

$ brew uninstall openssl
Error: Refusing to uninstall /usr/local/Cellar/openssl/1.0.2t
because it is required by cairo, gnupg, ..., and wget, which are currently installed.
You can override this and force removal with:
  brew uninstall --ignore-dependencies openssl

Interestingly, wget claims not to need it:

$ brew deps wget
gettext
libidn2
libunistring
openssl@1.1

Is there a reason I get the warning?

@Bo98
Copy link
Member

@Bo98 Bo98 commented Nov 21, 2019

Yes, you aren't alone: https://discourse.brew.sh/t/installed-formulae-depend-on-openssl-diverging-from-spec-dependency-on-openssl-1-1/6294/2

brew reinstall on those formula will fix it - but clearly you shouldn't need to.

@MikeMcQuaid Any thoughts on this issue?

@MikeMcQuaid
Copy link
Member

@MikeMcQuaid MikeMcQuaid commented Nov 22, 2019

Is there a reason I get the warning?

Yes, those applications are linked against openssl and you should reinstall them. brew deps --installed wget may show the right versions here.

@MikeMcQuaid
Copy link
Member

@MikeMcQuaid MikeMcQuaid commented Nov 22, 2019

In short: dependencies declared in a formula may not match those after installation (which are based on the actual linkage which may vary depending on the build system of the application and annoying opportunistic linkage).

@MikeMcQuaid
Copy link
Member

@MikeMcQuaid MikeMcQuaid commented Nov 22, 2019

Instead of brew deps for this particular case you may find brew linkage wget etc. more illuminating.

convenient added a commit to AmpersandHQ/homebrew-php that referenced this issue Nov 22, 2019
@dgholz
Copy link

@dgholz dgholz commented Nov 22, 2019

Hello, I've got a need for openssl at version 1.0 (rebuilding binaries from historical sources). It would be nice to have the formula still available even past its end-of-life, even if no other formulae require it.

@fxcoudert
Copy link
Member Author

@fxcoudert fxcoudert commented Nov 22, 2019

@dgholz We're definitely not shipping unmaintained software (https://docs.brew.sh/Acceptable-Formulae), especially one that known for its security risks. But due to the modular nature of Homebrew, it's very easy to maintain a formula in your own tap: https://docs.brew.sh/How-to-Create-and-Maintain-a-Tap (and you can even provide bottles for it!)

@MikeMcQuaid
Copy link
Member

@MikeMcQuaid MikeMcQuaid commented Nov 22, 2019

@dgholz brew extract should make this very easy for you to do.

@dgholz
Copy link

@dgholz dgholz commented Nov 22, 2019

Thanks, running brew new-tap dgholz/old-openssl <repo> & then brew extract --version=1.0.2t openssl dgholz/old-openssl lets me keep my crusty old builds going.

@MikeMcQuaid
Copy link
Member

@MikeMcQuaid MikeMcQuaid commented Nov 27, 2019

The supported way to still use OpenSSL 1.0 is to use brew extract. brew installing from a URL is insecure and will break.

@Homebrew Homebrew locked as resolved and limited conversation to collaborators Nov 27, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
maintainer feedback marked for removal/rejection
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

7 participants