OpenSSL

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenSSL

Tommie King
 

Hey, sorry if this is the wrong place.  

 

But im struggling to see how I can upgrade openssl >1.1.1f

 

Compliance checks state that we must have a more up to date version, I know
that it exists (1.1.1g, 1.1.1h, 1.1.1i)

 

But I can only seem to upgrade to 1.1.1f in Cygwin  - is there a new upgrade
package for Cygwin/Openssl coming in the near future?

 

Thanks

 

Tommie King

 

 

 

 

--
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL

Cygwin list mailing list
On 04.01.2021 13:21, [hidden email] wrote:
>  
>
> Hey, sorry if this is the wrong place.

Hi Tommie,
this is the right place.

>
> But im struggling to see how I can upgrade openssl >1.1.1f
>
> Compliance checks state that we must have a more up to date version, I know
> that it exists (1.1.1g, 1.1.1h, 1.1.1i)

https://cygwin.com/packages/summary/openssl.html

the last one available on cygwin is 1.1.1f


> But I can only seem to upgrade to 1.1.1f in Cygwin  - is there a new upgrade
> package for Cygwin/Openssl coming in the near future?

It will depends on the maintainer (Corinna) availability.
Maybe after the holyday season
> Thanks
> Tommie King

Regards
Marco

--
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL

Brian Inglis
On 2021-01-04 08:11, Marco Atzeri via Cygwin wrote:

> On 04.01.2021 13:21, [hidden email] wrote:
>> But im struggling to see how I can upgrade openssl >1.1.1f
>> Compliance checks state that we must have a more up to date version, I know
>> that it exists (1.1.1g, 1.1.1h, 1.1.1i)
>
> https://cygwin.com/packages/summary/openssl.html
>
> the last one available on cygwin is 1.1.1f
>
>> But I can only seem to upgrade to 1.1.1f in Cygwin  - is there a new upgrade
>> package for Cygwin/Openssl coming in the near future?
>
> It will depends on the maintainer (Corinna) availability.
> Maybe after the holiday season

What are your compliance timing constraints in terms of releases and time?
I see Cygwin openssl is now 3 versions and 9 months behind the latest.

If you have a compliance timing issue, your organization will have to take
responsibility for meeting your compliance needs, either by having staff or
contracting others to meet those needs, by building packages more up to date
than those available from the distros you use.

All recent, and certainly all important, Cygwin packages use the common cygport
package build and maintenance system, which takes a lot of the burden off the
rote tasks required of maintainers to update packages to newer versions.
Any package user may also do so by installing the cygport package and all its
toolchain dependencies, downloading the package sources, most of which contain a
<package>.cygport file, or cloning the package repo:

https://cygwin.com/git-cygwin-packages/?p=git/cygwin-packages/openssl.git;a=summary

to get the <package>.cygport file, change the package version within to the
latest, and within that directory run:

        $ cygport <package>.cygport download all check

to download all source and patch files and build the package.

In some cases, you may need to install the package source to get the patch
sources if they have not been pushed to the package repo (as there is not really
much in the way of common policies or practices about that as yet), or search
and find the online locations of distros patches.

You may also have to tweak the <package>.cygport files to skip patches already
applied to the upstream package so redundant, tweak patches that are still
required but no longer apply without error, drop patches as the package has been
tweaked in some other way so they are no longer required, or make your own
patches to get the package to build under Cygwin.

You will also have to install the development versions of libraries required by
packages, often named lib/...-devel, and those available on Cygwin which support
additional functionality provided by the package, which may have to be
explicitly configured into the build specified in the <package>.cygport files.

Some background and help is available in the pages under Contributing on the
home page, in the archives of the cygwin-apps list, by searching online, and
asking on this list, if nothing else works.

--
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.
[Data in binary units and prefixes, physical quantities in SI.]
--
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple
Reply | Threaded
Open this post in threaded view
|

Re: TL;DR: About Distros, packages, Cygwin, volunteers

Brian Inglis
On 2021-01-04 21:37, Brian Inglis wrote:

> On 2021-01-04 08:11, Marco Atzeri via Cygwin wrote:
>> On 04.01.2021 13:21, [hidden email] wrote:
>>> But im struggling to see how I can upgrade openssl >1.1.1f
>>> Compliance checks state that we must have a more up to date version, I know
>>> that it exists (1.1.1g, 1.1.1h, 1.1.1i)
>>
>> https://cygwin.com/packages/summary/openssl.html
>>
>> the last one available on cygwin is 1.1.1f
>>
>>> But I can only seem to upgrade to 1.1.1f in Cygwin  - is there a new upgrade
>>> package for Cygwin/Openssl coming in the near future?
>>
>> It will depends on the maintainer (Corinna) availability.
>> Maybe after the holiday season
>
> What are your compliance timing constraints in terms of releases and time?
> I see Cygwin openssl is now 3 versions and 9 months behind the latest.
>
> If you have a compliance timing issue, your organization will have to take
> responsibility for meeting your compliance needs, either by having staff or
> contracting others to meet those needs, by building packages more up to date
> than those available from the distros you use.
>
> All recent, and certainly all important, Cygwin packages use the common cygport
> package build and maintenance system, which takes a lot of the burden off the
> rote tasks required of maintainers to update packages to newer versions.
> Any package user may also do so by installing the cygport package and all its
> toolchain dependencies, downloading the package sources, most of which contain a
> <package>.cygport file, or cloning the package repo:
>
> https://cygwin.com/git-cygwin-packages/?p=git/cygwin-packages/openssl.git;a=summary
>
> to get the <package>.cygport file, change the package version within to the
> latest, and within that directory run:
>
>      $ cygport <package>.cygport download all check
>
> to download all source and patch files and build the package.
>
> In some cases, you may need to install the package source to get the patch
> sources if they have not been pushed to the package repo (as there is not really
> much in the way of common policies or practices about that as yet), or search
> and find the online locations of distros patches.
>
> You may also have to tweak the <package>.cygport files to skip patches already
> applied to the upstream package so redundant, tweak patches that are still
> required but no longer apply without error, drop patches as the package has been
> tweaked in some other way so they are no longer required, or make your own
> patches to get the package to build under Cygwin.
>
> You will also have to install the development versions of libraries required by
> packages, often named lib/...-devel, and those available on Cygwin which support
> additional functionality provided by the package, which may have to be
> explicitly configured into the build specified in the <package>.cygport files.
>
> Some background and help is available in the pages under Contributing on the
> home page, in the archives of the cygwin-apps list, by searching online, and
> asking on this list, if nothing else works.

TL;DR: About Distros, packages, Cygwin, volunteers

Most distros do not have the current versions of most packages in their stable
releases, as they have to do rebuilds of all dependent packages, and regression
tests of all the packages they are dependent on, apply patches for issues and
rerun regression tests for those, regardless of security issue severity and
urgency, even though they have many full time staff available to carry out the
processes.

For important packages, Cygwin maintainers often monitor the status of their
packages in other distros to see how stable new versions are, how many
regressions or issues have been found in testing, how many patches have been
applied, and their test status, as they are all volunteers working in their
spare time.

I know a number of Cygwin maintainers monitor the status and use many of the
patches applied to Fedora, as they have access to that due to their full time
day jobs at Redhat and/or personal use of those systems at home, and others may
also monitor and use patches from Debian, Gentoo, OpenSuSE, and other distros
with funded infrastructure processes, staff to perform extensive testing, and
develop their own patches for issues found testing on their distros.

One of the biggest issues in volunteer maintained distros like Cygwin is when
dependent packages have to be updated to allow an important package to be
updated, and some of those dependent packages have issues requiring a lot of
work to resolve to get them to build on Cygwin, sometimes requiring the
expertise of the official maintainer, who may not have much time available due
to real life issues.

--
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.
[Data in binary units and prefixes, physical quantities in SI.]
--
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple