Re: 9.0 is getting old...

[Greg Troxel <gdt%lexort.com@localhost>]

Havard Eidnes <he%NetBSD.org@localhost> writes:

> as you may know, I do pkgsrc bulk builds for NetBSD/powerpc,
> currently for 9.0 and 10.0.  My 9.0 bulk build host is a "true"
> 9.0 system.  This is beginning to show its age, since it has
> OpenSSL 1.1.1c, and py-cryptography now refuses to build (not
> because rust is unavailable -- it is...) but it's refusing unless
> OpenSSL is >= 1.1.1d, ref.
>
>   http://castor.urc.uninett.no/reports/macppc/9.0/2024Q1/20240328.1746/meta/report.html
>
> I see that OpenSSL was upgraded both in 9.1, 9.2 and 9.4; 9.1
> brought in 1.1.1g, 9.2 upgraded to 1.1.1k and 9.4 upgraded to
> 1.1.1t.
>
> I'm building on 9.0 to provide maximal compatibility, i.e. for
> all 9.x releases.  The question is whether it's reasonable to
> upgrade the build system to 9.2.  This will in all probability
> create issues for 9.0 and 9.1 systems.  However, those OS
> releases are now quite "dated".  The question is if it's
> reasonable to expect users to upgrade their systems to 9.2 or
> newer before being able to use a new set of binary packages?

I think

  I see pkgsrc as supporting 9.x, not 9.0

  It's buggy of packages to require a version of openssl because they
  think it isn't secure enough.  I don't know what happens if you patch
  out the check.  I don't know what happens if you add a
  BUILDLINK_API_DEPENDS for openssl.  (I'm not saying it is reasonable
  to expect people to spend time fighting these battle.)

  Anyone running 9.x should either be updating along stable or to minor
  releases.  At this point, anything older than 9.3 is too old.

  I do not expect binary packages built on 9.3 to be troubled on 9.0.
  The theory is that we have binary compatibility.

  I think it's better to have  good packages for people that are up to
  date than to have problems to accomodate people (theoretical people)
  who haven't updated.


> Another and perhaps orthogonal issue is that pkgsrc is apparently
> not preferring to use pkgsrc openssl on these older systems.  I
> don't know if it should, and whether this is a bug or not.

I would say that it should not.  If someone has chosen not to upgrade,
and has security bugs, that's their call.

Another way to view this is "what should the default API_DEPENDS be"
and/or "should we increase it".  This isn't really an API issue; it's an
upstream imposing security attitude (my assumption until corrected).


The other question is: maybe you should just do 10, and drop 9.  But
that's of course your call.   Personally I'm heading for getting off of
9 as soon as I can manage, but I think it's going to take me 6 months.