* openssl: OpenSSL 1.1.x update @ 2016-10-06 2:11 Tan, Raymond 2016-10-06 2:33 ` Mark Hatle 2016-10-06 2:44 ` Paul Eggleton 0 siblings, 2 replies; 10+ messages in thread From: Tan, Raymond @ 2016-10-06 2:11 UTC (permalink / raw) To: openembedded-core@lists.openembedded.org; +Cc: Gupta, Rahul KumarXX Greetings, I would like to know if there is any plan / schedule to upgrade to openssl 1.1.0 into OE-core? Thanks! Raymond Tan ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: openssl: OpenSSL 1.1.x update 2016-10-06 2:11 openssl: OpenSSL 1.1.x update Tan, Raymond @ 2016-10-06 2:33 ` Mark Hatle 2016-10-06 2:59 ` Khem Raj 2016-10-06 2:44 ` Paul Eggleton 1 sibling, 1 reply; 10+ messages in thread From: Mark Hatle @ 2016-10-06 2:33 UTC (permalink / raw) To: Tan, Raymond, openembedded-core@lists.openembedded.org Cc: Gupta, Rahul KumarXX On 10/5/16 9:11 PM, Tan, Raymond wrote: > Greetings, I would like to know if there is any plan / schedule to upgrade to openssl 1.1.0 into OE-core? Currently 1.0.2 is the LTS version of OpenSSL. 1.1.0 is not scheduled to be LTS. For the upcoming release (soon), I would NOT expect 1.1.0 to be in it. There are still too many incompatibilities with other components. For the next version of OE, I think it is appropriate to include 1.1.0, but I would also like to maintain 1.0.2 for the time being. (Beside LTS, it also is still the only way to have FIPS-140-2 module, as there is currently no module in the 1.1.0 -- and there may not be for a while.) --Mark > Thanks! > > Raymond Tan > ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: openssl: OpenSSL 1.1.x update 2016-10-06 2:33 ` Mark Hatle @ 2016-10-06 2:59 ` Khem Raj 2016-10-06 14:21 ` Mark Hatle 0 siblings, 1 reply; 10+ messages in thread From: Khem Raj @ 2016-10-06 2:59 UTC (permalink / raw) To: Mark Hatle; +Cc: Gupta, Rahul KumarXX, openembedded-core@lists.openembedded.org On Wed, Oct 5, 2016 at 7:33 PM, Mark Hatle <mark.hatle@windriver.com> wrote: > On 10/5/16 9:11 PM, Tan, Raymond wrote: >> Greetings, I would like to know if there is any plan / schedule to upgrade to openssl 1.1.0 into OE-core? > > Currently 1.0.2 is the LTS version of OpenSSL. 1.1.0 is not scheduled to be LTS. > > For the upcoming release (soon), I would NOT expect 1.1.0 to be in it. There > are still too many incompatibilities with other components. > > For the next version of OE, I think it is appropriate to include 1.1.0, but I > would also like to maintain 1.0.2 for the time being. (Beside LTS, it also is > still the only way to have FIPS-140-2 module, as there is currently no module in > the 1.1.0 -- and there may not be for a while.) What do we get with 1.1.0 ? > > --Mark > >> Thanks! >> >> Raymond Tan >> > > -- > _______________________________________________ > Openembedded-core mailing list > Openembedded-core@lists.openembedded.org > http://lists.openembedded.org/mailman/listinfo/openembedded-core ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: openssl: OpenSSL 1.1.x update 2016-10-06 2:59 ` Khem Raj @ 2016-10-06 14:21 ` Mark Hatle 2016-10-06 15:22 ` Khem Raj 0 siblings, 1 reply; 10+ messages in thread From: Mark Hatle @ 2016-10-06 14:21 UTC (permalink / raw) To: Khem Raj; +Cc: Gupta, Rahul KumarXX, openembedded-core@lists.openembedded.org On 10/5/16 9:59 PM, Khem Raj wrote: > On Wed, Oct 5, 2016 at 7:33 PM, Mark Hatle <mark.hatle@windriver.com> wrote: >> On 10/5/16 9:11 PM, Tan, Raymond wrote: >>> Greetings, I would like to know if there is any plan / schedule to upgrade to openssl 1.1.0 into OE-core? >> >> Currently 1.0.2 is the LTS version of OpenSSL. 1.1.0 is not scheduled to be LTS. >> >> For the upcoming release (soon), I would NOT expect 1.1.0 to be in it. There >> are still too many incompatibilities with other components. >> >> For the next version of OE, I think it is appropriate to include 1.1.0, but I >> would also like to maintain 1.0.2 for the time being. (Beside LTS, it also is >> still the only way to have FIPS-140-2 module, as there is currently no module in >> the 1.1.0 -- and there may not be for a while.) > > What do we get with 1.1.0 ? Latest and greatest code of course.. :) Reality, not a lot more over 1.0.2... there are some significant redesigns that should help improve overall security of the OpenSSL library and items using the library. But various things will have to be updated to make use of this. The OpenSSL community itself is looking at 1.1.0 as a transition to newer and better design/api/etc... which is why it is not marked as a LTS release. Beside my basic understanding (above) there should be information as part of the 1.1.0 release notes. --Mark >> >> --Mark >> >>> Thanks! >>> >>> Raymond Tan >>> >> >> -- >> _______________________________________________ >> Openembedded-core mailing list >> Openembedded-core@lists.openembedded.org >> http://lists.openembedded.org/mailman/listinfo/openembedded-core ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: openssl: OpenSSL 1.1.x update 2016-10-06 14:21 ` Mark Hatle @ 2016-10-06 15:22 ` Khem Raj 2016-10-06 15:39 ` Mark Hatle 0 siblings, 1 reply; 10+ messages in thread From: Khem Raj @ 2016-10-06 15:22 UTC (permalink / raw) To: Mark Hatle; +Cc: Gupta, Rahul KumarXX, openembedded-core@lists.openembedded.org [-- Attachment #1: Type: text/plain, Size: 1983 bytes --] > On Oct 6, 2016, at 7:21 AM, Mark Hatle <mark.hatle@windriver.com> wrote: > > On 10/5/16 9:59 PM, Khem Raj wrote: >> On Wed, Oct 5, 2016 at 7:33 PM, Mark Hatle <mark.hatle@windriver.com> wrote: >>> On 10/5/16 9:11 PM, Tan, Raymond wrote: >>>> Greetings, I would like to know if there is any plan / schedule to upgrade to openssl 1.1.0 into OE-core? >>> >>> Currently 1.0.2 is the LTS version of OpenSSL. 1.1.0 is not scheduled to be LTS. >>> >>> For the upcoming release (soon), I would NOT expect 1.1.0 to be in it. There >>> are still too many incompatibilities with other components. >>> >>> For the next version of OE, I think it is appropriate to include 1.1.0, but I >>> would also like to maintain 1.0.2 for the time being. (Beside LTS, it also is >>> still the only way to have FIPS-140-2 module, as there is currently no module in >>> the 1.1.0 -- and there may not be for a while.) >> >> What do we get with 1.1.0 ? > > Latest and greatest code of course.. :) > > Reality, not a lot more over 1.0.2... there are some significant redesigns that > should help improve overall security of the OpenSSL library and items using the > library. But various things will have to be updated to make use of this. > > The OpenSSL community itself is looking at 1.1.0 as a transition to newer and > better design/api/etc... which is why it is not marked as a LTS release. api changes can be a bothersome point from integration POV, do we know if there are some forwarded porting incompatibilities in APIs already? > > Beside my basic understanding (above) there should be information as part of the > 1.1.0 release notes. > > --Mark > >>> >>> --Mark >>> >>>> Thanks! >>>> >>>> Raymond Tan >>>> >>> >>> -- >>> _______________________________________________ >>> Openembedded-core mailing list >>> Openembedded-core@lists.openembedded.org >>> http://lists.openembedded.org/mailman/listinfo/openembedded-core > [-- Attachment #2: Message signed with OpenPGP using GPGMail --] [-- Type: application/pgp-signature, Size: 211 bytes --] ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: openssl: OpenSSL 1.1.x update 2016-10-06 15:22 ` Khem Raj @ 2016-10-06 15:39 ` Mark Hatle 2016-10-13 10:35 ` Tan, Raymond 2016-12-13 16:00 ` Alexander Kanavin 0 siblings, 2 replies; 10+ messages in thread From: Mark Hatle @ 2016-10-06 15:39 UTC (permalink / raw) To: Khem Raj; +Cc: Gupta, Rahul KumarXX, openembedded-core@lists.openembedded.org On 10/6/16 10:22 AM, Khem Raj wrote: > >> On Oct 6, 2016, at 7:21 AM, Mark Hatle <mark.hatle@windriver.com> wrote: >> >> On 10/5/16 9:59 PM, Khem Raj wrote: >>> On Wed, Oct 5, 2016 at 7:33 PM, Mark Hatle <mark.hatle@windriver.com> wrote: >>>> On 10/5/16 9:11 PM, Tan, Raymond wrote: >>>>> Greetings, I would like to know if there is any plan / schedule to upgrade to openssl 1.1.0 into OE-core? >>>> >>>> Currently 1.0.2 is the LTS version of OpenSSL. 1.1.0 is not scheduled to be LTS. >>>> >>>> For the upcoming release (soon), I would NOT expect 1.1.0 to be in it. There >>>> are still too many incompatibilities with other components. >>>> >>>> For the next version of OE, I think it is appropriate to include 1.1.0, but I >>>> would also like to maintain 1.0.2 for the time being. (Beside LTS, it also is >>>> still the only way to have FIPS-140-2 module, as there is currently no module in >>>> the 1.1.0 -- and there may not be for a while.) >>> >>> What do we get with 1.1.0 ? >> >> Latest and greatest code of course.. :) >> >> Reality, not a lot more over 1.0.2... there are some significant redesigns that >> should help improve overall security of the OpenSSL library and items using the >> library. But various things will have to be updated to make use of this. >> >> The OpenSSL community itself is looking at 1.1.0 as a transition to newer and >> better design/api/etc... which is why it is not marked as a LTS release. > > api changes can be a bothersome point from integration POV, do we know if there > are some forwarded porting incompatibilities in APIs already? I have not investigated it, as my focus has been on the LTS version at this point. --Mark >> >> Beside my basic understanding (above) there should be information as part of the >> 1.1.0 release notes. >> >> --Mark >> >>>> >>>> --Mark >>>> >>>>> Thanks! >>>>> >>>>> Raymond Tan >>>>> >>>> >>>> -- >>>> _______________________________________________ >>>> Openembedded-core mailing list >>>> Openembedded-core@lists.openembedded.org >>>> http://lists.openembedded.org/mailman/listinfo/openembedded-core >> > ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: openssl: OpenSSL 1.1.x update 2016-10-06 15:39 ` Mark Hatle @ 2016-10-13 10:35 ` Tan, Raymond 2016-10-13 10:49 ` Hatle, Mark 2016-12-13 16:00 ` Alexander Kanavin 1 sibling, 1 reply; 10+ messages in thread From: Tan, Raymond @ 2016-10-13 10:35 UTC (permalink / raw) To: Hatle, Mark G (Wind River), Khem Raj Cc: Gupta, Rahul KumarXX, openembedded-core@lists.openembedded.org Warm Regards, Raymond Tan > -----Original Message----- > From: Mark Hatle [mailto:mark.hatle@windriver.com] > Sent: Thursday, October 06, 2016 11:40 PM > To: Khem Raj <raj.khem@gmail.com> > Cc: Tan, Raymond <raymond.tan@intel.com>; openembedded- > core@lists.openembedded.org; Gupta, Rahul KumarXX > <rahul.kumarxx.gupta@intel.com> > Subject: Re: [OE-core] openssl: OpenSSL 1.1.x update > > On 10/6/16 10:22 AM, Khem Raj wrote: > > > >> On Oct 6, 2016, at 7:21 AM, Mark Hatle <mark.hatle@windriver.com> > wrote: > >> > >> On 10/5/16 9:59 PM, Khem Raj wrote: > >>> On Wed, Oct 5, 2016 at 7:33 PM, Mark Hatle <mark.hatle@windriver.com> > wrote: > >>>> On 10/5/16 9:11 PM, Tan, Raymond wrote: > >>>>> Greetings, I would like to know if there is any plan / schedule to upgrade > to openssl 1.1.0 into OE-core? > >>>> > >>>> Currently 1.0.2 is the LTS version of OpenSSL. 1.1.0 is not scheduled to be > LTS. > >>>> > >>>> For the upcoming release (soon), I would NOT expect 1.1.0 to be in > >>>> it. There are still too many incompatibilities with other components. > >>>> > >>>> For the next version of OE, I think it is appropriate to include > >>>> 1.1.0, but I would also like to maintain 1.0.2 for the time being. > >>>> (Beside LTS, it also is still the only way to have FIPS-140-2 > >>>> module, as there is currently no module in the 1.1.0 -- and there > >>>> may not be for a while.) > >>> This means earliest possible would be post morty? And 1.0.2 would still be maintained in there due to the LTS status? The reason I'm checking is we are trying to integrate a new QAT openssl engine, which is developed for openssl 1.1.0. > >>> What do we get with 1.1.0 ? > >> > >> Latest and greatest code of course.. :) > >> > >> Reality, not a lot more over 1.0.2... there are some significant > >> redesigns that should help improve overall security of the OpenSSL > >> library and items using the library. But various things will have to be > updated to make use of this. > >> > >> The OpenSSL community itself is looking at 1.1.0 as a transition to > >> newer and better design/api/etc... which is why it is not marked as a LTS > release. > > > > api changes can be a bothersome point from integration POV, do we know > > if there are some forwarded porting incompatibilities in APIs already? > > I have not investigated it, as my focus has been on the LTS version at this point. > > --Mark > > >> > >> Beside my basic understanding (above) there should be information as > >> part of the > >> 1.1.0 release notes. > >> > >> --Mark > >> > >>>> > >>>> --Mark > >>>> > >>>>> Thanks! > >>>>> > >>>>> Raymond Tan > >>>>> > >>>> > >>>> -- > >>>> _______________________________________________ > >>>> Openembedded-core mailing list > >>>> Openembedded-core@lists.openembedded.org > >>>> http://lists.openembedded.org/mailman/listinfo/openembedded-core > >> > > ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: openssl: OpenSSL 1.1.x update 2016-10-13 10:35 ` Tan, Raymond @ 2016-10-13 10:49 ` Hatle, Mark 0 siblings, 0 replies; 10+ messages in thread From: Hatle, Mark @ 2016-10-13 10:49 UTC (permalink / raw) To: TAN, YEE HONG Cc: Gupta, Rahul KumarXX, openembedded-core@lists.openembedded.org While this is not a fully authoritative answer, I believe what your wrote will be correct. Latest 1.0.2 in 2.2. Master (in future) will have both 1.0.2 and 1.1.0. > On Oct 13, 2016, at 12:36, Tan, Raymond <raymond.tan@intel.com> wrote: > > Warm Regards, > > Raymond Tan > >> -----Original Message----- >> From: Mark Hatle [mailto:mark.hatle@windriver.com] >> Sent: Thursday, October 06, 2016 11:40 PM >> To: Khem Raj <raj.khem@gmail.com> >> Cc: Tan, Raymond <raymond.tan@intel.com>; openembedded- >> core@lists.openembedded.org; Gupta, Rahul KumarXX >> <rahul.kumarxx.gupta@intel.com> >> Subject: Re: [OE-core] openssl: OpenSSL 1.1.x update >> >>> On 10/6/16 10:22 AM, Khem Raj wrote: >>> >>>> On Oct 6, 2016, at 7:21 AM, Mark Hatle <mark.hatle@windriver.com> >> wrote: >>>> >>>>> On 10/5/16 9:59 PM, Khem Raj wrote: >>>>> On Wed, Oct 5, 2016 at 7:33 PM, Mark Hatle <mark.hatle@windriver.com> >> wrote: >>>>>> On 10/5/16 9:11 PM, Tan, Raymond wrote: >>>>>>> Greetings, I would like to know if there is any plan / schedule to upgrade >> to openssl 1.1.0 into OE-core? >>>>>> >>>>>> Currently 1.0.2 is the LTS version of OpenSSL. 1.1.0 is not scheduled to be >> LTS. >>>>>> >>>>>> For the upcoming release (soon), I would NOT expect 1.1.0 to be in >>>>>> it. There are still too many incompatibilities with other components. >>>>>> >>>>>> For the next version of OE, I think it is appropriate to include >>>>>> 1.1.0, but I would also like to maintain 1.0.2 for the time being. >>>>>> (Beside LTS, it also is still the only way to have FIPS-140-2 >>>>>> module, as there is currently no module in the 1.1.0 -- and there >>>>>> may not be for a while.) >>>>> > > This means earliest possible would be post morty? And 1.0.2 would still be maintained in there due to the LTS status? > > The reason I'm checking is we are trying to integrate a new QAT openssl engine, which is developed for openssl 1.1.0. > >>>>> What do we get with 1.1.0 ? >>>> >>>> Latest and greatest code of course.. :) >>>> >>>> Reality, not a lot more over 1.0.2... there are some significant >>>> redesigns that should help improve overall security of the OpenSSL >>>> library and items using the library. But various things will have to be >> updated to make use of this. >>>> >>>> The OpenSSL community itself is looking at 1.1.0 as a transition to >>>> newer and better design/api/etc... which is why it is not marked as a LTS >> release. >>> >>> api changes can be a bothersome point from integration POV, do we know >>> if there are some forwarded porting incompatibilities in APIs already? >> >> I have not investigated it, as my focus has been on the LTS version at this point. >> >> --Mark >> >>>> >>>> Beside my basic understanding (above) there should be information as >>>> part of the >>>> 1.1.0 release notes. >>>> >>>> --Mark >>>> >>>>>> >>>>>> --Mark >>>>>> >>>>>>> Thanks! >>>>>>> >>>>>>> Raymond Tan >>>>>>> >>>>>> >>>>>> -- >>>>>> _______________________________________________ >>>>>> Openembedded-core mailing list >>>>>> Openembedded-core@lists.openembedded.org >>>>>> http://lists.openembedded.org/mailman/listinfo/openembedded-core >>>> >>> > ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: openssl: OpenSSL 1.1.x update 2016-10-06 15:39 ` Mark Hatle 2016-10-13 10:35 ` Tan, Raymond @ 2016-12-13 16:00 ` Alexander Kanavin 1 sibling, 0 replies; 10+ messages in thread From: Alexander Kanavin @ 2016-12-13 16:00 UTC (permalink / raw) To: Mark Hatle, Khem Raj Cc: openembedded-core@lists.openembedded.org, Gupta, Rahul KumarXX On 10/06/2016 06:39 PM, Mark Hatle wrote: >>> The OpenSSL community itself is looking at 1.1.0 as a transition to newer and >>> better design/api/etc... which is why it is not marked as a LTS release. >> >> api changes can be a bothersome point from integration POV, do we know if there >> are some forwarded porting incompatibilities in APIs already? > > I have not investigated it, as my focus has been on the LTS version at this point. I've quickly put together a openssl 1.1 recipe to test what builds and what fails in oe-core, and this is the list of failures (any dependencies of these aren't even attempted of course, i.e. webkit): rpm apr-util ruby openssh bind socat mailx (I believe debian provides a rewrite of this one which we need to package) cryptodev-tests u-boot-mkimage Openssl does not seem to be designed for parallel installation of several major versions at the same time (headers and pkg-config files clash), so (unless someone has a better idea), we need to either wait until the above listed upstreams fix their code, or do custom patching. Mark, when can we expect rpm updates from Wind River? It's been a while (actually, 10 months) since anything substantial arrived. I'd like to have both a working CVS recipe (for dnf oe-core integration work), and an update to the stable release with openssl 1.1 support in it - so that oe-core can provide openssl 1.1. I simply do not have the bandwidth or the expertise to do this work myself - far too many patches to rebase, and a code base that I don't even begin to understand. Alex ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: openssl: OpenSSL 1.1.x update 2016-10-06 2:11 openssl: OpenSSL 1.1.x update Tan, Raymond 2016-10-06 2:33 ` Mark Hatle @ 2016-10-06 2:44 ` Paul Eggleton 1 sibling, 0 replies; 10+ messages in thread From: Paul Eggleton @ 2016-10-06 2:44 UTC (permalink / raw) To: Tan, Raymond; +Cc: Gupta, Rahul KumarXX, openembedded-core Hi Raymond, On Thu, 06 Oct 2016 02:11:59 Tan, Raymond wrote: > Greetings, I would like to know if there is any plan / schedule to upgrade > to openssl 1.1.0 into OE-core? I am not aware of any discussion about this (and my answer shouldn't be considered authoritative), however it does look like upgrading to 1.1.0 will result in compatibility issues with code that links to OpenSSL, thus I expect we would need to evaluate the impact of doing so. In any event we are in milestone 4 of the 2.2 release in which as a general rule we do not do version upgrades except when absolutely necessary, so the earliest we would look at this would be for 2.3. Note that for 2.2 we have kept up-to-date with OpenSSL releases on the 1.0.2 branch to date as the risk of compatibility problems across upgrades there is significantly lower. Cheers, Paul -- Paul Eggleton Intel Open Source Technology Centre ^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2016-12-13 16:00 UTC | newest] Thread overview: 10+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2016-10-06 2:11 openssl: OpenSSL 1.1.x update Tan, Raymond 2016-10-06 2:33 ` Mark Hatle 2016-10-06 2:59 ` Khem Raj 2016-10-06 14:21 ` Mark Hatle 2016-10-06 15:22 ` Khem Raj 2016-10-06 15:39 ` Mark Hatle 2016-10-13 10:35 ` Tan, Raymond 2016-10-13 10:49 ` Hatle, Mark 2016-12-13 16:00 ` Alexander Kanavin 2016-10-06 2:44 ` Paul Eggleton
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox