Re: 9.0 is getting old...

[Martin Husemann <martin%duskware.de@localhost>]

On Sat, Jun 08, 2024 at 03:14:20PM -0400, Greg Troxel wrote:
> Taylor R Campbell <campbell+netbsd-tech-pkg%mumble.net@localhost> writes:
> 
> > Maybe we should run netbsd-9 bulk builds with PREFER_PKGSRC=openssl?
> > We would need to do the same to avoid libraries in base that link
> > against libssl/libcrypto.
> 
> Have there been ABI changes?  Is this to deal with those changes, or to
> force a version with a security fix (i.e., telling people that the choice
> they made to update isn't ok :-), or ?

This is a classical dilemma - we promise ABI stability, but some parts of
the base system (like openssl) do not allow for that.

See the 9.4 announcement:

	https://netbsd.org/releases/formal-9/NetBSD-9.4.html

where a big note says:

	Important: the version of OpenSSL included with NetBSD
	9.x is now unsupported unless a support contract is
	purchased from OpenSSL, and cannot be upgraded without
	breaking the ABI compatibility we've promised for
	the netbsd-9 branch. Users are recommended to update
	to NetBSD 10 or use OpenSSL from pkgsrc.

We can not update OpenSSL on the branch (breaks ABI compatibility big
time) and we can not provide security fixes for the old openssl branch.

For pkgsrc users there is an easy way out: set PREFER_PKGSRC.openssl to
yes and rebuild all of your pkgs.

But for users of binary pkgs there currently is no choice.
Either switching the official pkgs over, or providing a second set would
be usefull (alone from the openssl PoV).

Martin