Tls regression (#1418)

* Pin TLS to some version < 2.0. * Format cabal. * Documentation and commentary on TLS.
fossas · Apr 30, 2024 · 45c4f63 · 45c4f63
1 parent 9c24b80
commit 45c4f63
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 2 deletions.
diff --git a/Changelog.md b/Changelog.md
@@ -1,5 +1,11 @@
 # FOSSA CLI Changelog
 
+## v3.9.15
+- Change TLS to a version that takes advantage of but does not require 1.2 with EMS.
+  This will be reverted in six months.
+  On-prem users should upgrade their servers to support either TLS 1.2 with EMS or TLS 1.3.
+  SAAS customers are unaffected. ([#1418](https://github.com/fossas/fossa-cli/pull/1418)).
+
 ## v3.9.14
 - Update cargo strategy to parse new `cargo metadata` format for cargo >= 1.77.0 ([#1416](https://github.com/fossas/fossa-cli/pull/1416)).
 - `fossa release-group`: Add command to create a FOSSA release group release (`fossa release-group create-release`) [#1409](https://github.com/fossas/fossa-cli/pull/1409).

diff --git a/spectrometer.cabal b/spectrometer.cabal
@@ -76,8 +76,10 @@ common lang
 
 -- TODO: Switch `semver` back to `versions` since https://github.com/fosskers/versions/issues/47 is fixed. This package maintainer seems much more responsive. Contrast https://github.com/brendanhay/semver/issues/12.
 -- codec-rpm is installed via cabal.project, so this number is an expected future version.
--- Upgrade text and mtl after codec-rpm conflict is fixed, probably as part of 9.4 upgrade.
--- Upgrade zip after text is upgraded
+-- TODO: Upgrade text and mtl after codec-rpm conflict is fixed, probably as part of 9.4 upgrade.
+-- TODO: Upgrade zip after text is upgraded.
+-- TODO: TLS isn't used directly but is pinned here while customers upgrade their servers to support TLS 1.2 with EMS or TLS 1.3.
+-- They've been warned about future support breaking. Upgrade to tls-2.* after 10/25/2024.
 common deps
   build-depends:
     , aeson                        ^>=2.2
@@ -146,6 +148,7 @@ common deps
     , text                         ^>=2.0.0
     , th-lift-instances            ^>=0.1.17
     , time                         >=1.9       && <1.13
+    , tls                          >=1.9       && <2.0
     , tomland                      ^>=1.3.3.0
     , transformers
     , typed-process                ^>=0.2.6