Re: 9.0 is getting old...

[Greg Troxel <gdt%lexort.com@localhost>]

Havard Eidnes <he%NetBSD.org@localhost> writes:

> While the last sentence "use pkgsrc OpenSSL or upgrade to 10.0" is
> of course perfectly fine to state to users, it doesn't really
> resolve what I as bulk builder for NetBSD/powerpc 9.x ought to do.

It does not, but I lean to simple, meaning don't set PREFER_PKGSRC.

Also, we have a bulk build guideline in quarterly that says TNF-hosted
bulk builds should have an esentially empty mk.conf.  The point is that
an official bulk build is what you get if you just build pkgsrc, not
some tweaked version according to somebody's opinions.

If people think we should change openssl's bl3 to say that pre-3 is
unacceptable (because it is unmaintained, ignoring pay-only
not-open-source maintenance), we can talk about that.  But it's not
really about 9.x -- it's much bigger and about every platform with
pre-3.  And it definitely shouldn't be a separate decision per bulk
builder.

(non-TNF builds can of course make their own choices; the license grants
the freedom to do all sorts of things)

> I *could* of course set PREFER_PKGSRC.openssl=yes in my /etc/mk.conf
> and build with that, but I get the sense that this should be a
> choice left to the user / local administrator.  And, yes, that
> pushes the user making that choice in the direction of building
> everything himself instead of being able to rely on binary packages.

If people want to deviate from what is checked in they can; that's what
source is about.

> Obviously, that would force me to toss all the pre-existing binary
> packages which directly or indirectly depends on OpenSSL before
> re-building.

Sure, but I don't think that's really part of the decision process.

> The thing I'm leaning towards is "do the minimal to clear the
> py-cryptogarphy issue" and upgrade the pbulk build host to 9.2, and
> just tell the few powerpc users "please upgrade to 9.2 or newer
> before using this upcoming set of binary packages; use of this set
> on 9.0 or 9.1 is on your own responsibility and is not guaranteed to
> be trouble-free",

That's a bit strong. I'd say "beware that while in theory there is ABI
compat and these should work, there might be trouble.   If so, please
report it.   But, you really should upgrade to 9.4 anyway to get
security fixes"

I also think we should leave the 9.0 and 9.1 symlinks pointing to the
same newer builds.  It is not ok to persistently distribute builds
without security maintainence.  People who want old builds can set
explicit paths -- then they know what they are getting into.

I'm also ok with withdrawing the symlinks as "there are no longer builds
for this platform".  But so far, fears that 9.2-built packages won't
work on 9.0 are theoretical.