[PATCH 00/26] thud patch review

[PATCH 00/26] thud patch review

[Armin Kuster]

Responses should be made by Wed March 20th 22:00:00 UTC 2019

The following changes since commit f5a57e939e626a5b7c6de5b51799ca602ed355ed:

  mesa: ship /etc/drirc in mesa-megadriver (2019-03-05 22:24:13 +0000)

are available in the git repository at:

  git://git.yoctoproject.org/poky-contrib stable/thud-next
  http://git.yoctoproject.org/cgit.cgi/poky-contrib/log/?h=stable/thud-next

Alexander Kanavin (1):
  ca-certificates: upgrade 20180409 -> 20190110

André Draszik (1):
  systemd: RDEPENDS on util-linux-umount

Changqing Li (1):
  libsndfile1: Security fix CVE-2018-19432

Chen Qi (1):
  target-sdk-provides-dummy: add more perl modules to avoid populate_sdk
    failure

Douglas Royds (1):
  libpam: libpamc is licensed under its own BSD-style licence

George McCollister (1):
  systemd: fix CVE-2019-6454

Jonathan Rajotte-Julien (3):
  lttng-ust: update to 2.10.3
  lttng-modules: update to 2.10.9
  lttng-tools: update to 2.9.11

Mark Hatle (10):
  gitsm.py: Fix when a submodule is defined, but not initialized
  gitsm.py: Add support for alternative URL formats from submodule files
  tests/fetch.py: Add alternative gitsm test case
  gitsm.py: Optimize code and attempt to resolve locking issue
  gitsm.py: revise unpack
  gitsm.py: Rework the shallow fetcher and test case
  gitsm.py: Refactor the functions and simplify the class
  gitsm.py: Fix relative URLs
  gitsmy.py: Fix unpack of submodules of submodules
  gitsm: The fetcher did not process some recursive submodules properly.

Ming Liu (1):
  rm_work: sort the value of do_build dependencies

Oleksandr Kravchuk (1):
  target-sdk-provides-dummy: add perl-module-overload

Richard Purdie (3):
  target-sdk-provides-dummy: Extend to -dev and -src packages
  systemd: Update recent CVE patches
  kernel: Ensure an initramfs is added if configured

Robert Yang (1):
  send-error-report: Add --no-ssl to use http protocol

Ross Burton (1):
  libpng: fix CVE-2019-7317

 bitbake/lib/bb/fetch2/gitsm.py                     | 253 +++++++++------------
 bitbake/lib/bb/tests/fetch.py                      |  70 +++++-
 meta/classes/kernel.bbclass                        |   4 +-
 meta/classes/rm_work.bbclass                       |   3 +-
 .../recipes-core/meta/target-sdk-provides-dummy.bb |  14 ++
 ...-not-store-the-iovec-entry-for-process-co.patch |   6 +-
 ...ld-set-a-limit-on-the-number-of-fields-1k.patch |  56 -----
 ...nald-set-a-limit-on-the-number-of-fields.patch} |  93 ++++++--
 ...nal-fix-out-of-bounds-read-CVE-2018-16866.patch |  49 ++++
 .../0027-journal-fix-syslog_parse_identifier.patch |  77 -------
 ...not-remove-multiple-spaces-after-identifi.patch |  84 -------
 .../systemd/systemd/CVE-2019-6454.patch            | 210 +++++++++++++++++
 ...e-receive-an-invalid-dbus-message-ignore-.patch |  61 +++++
 meta/recipes-core/systemd/systemd_239.bb           |  10 +-
 meta/recipes-extended/pam/libpam_1.3.0.bb          |   4 +-
 ...ose-sk-wmem-in-sock_exceed_buf_limit-trac.patch |  67 ------
 ...g-modules_2.10.7.bb => lttng-modules_2.10.9.bb} |   5 +-
 ...ow-multiple-attempts-to-connect-to-relayd.patch |  17 +-
 ...{lttng-tools_2.9.5.bb => lttng-tools_2.9.11.bb} |   4 +-
 .../{lttng-ust_2.10.1.bb => lttng-ust_2.10.3.bb}   |   4 +-
 .../libpng/libpng/CVE-2019-7317.patch              |  20 ++
 meta/recipes-multimedia/libpng/libpng_1.6.36.bb    |   3 +-
 .../libsndfile/libsndfile1/CVE-2018-19432.patch    | 115 ++++++++++
 .../libsndfile/libsndfile1_1.0.28.bb               |   1 +
 ...tes_20180409.bb => ca-certificates_20190110.bb} |   2 +-
 scripts/send-error-report                          |  11 +-
 26 files changed, 758 insertions(+), 485 deletions(-)
 delete mode 100644 meta/recipes-core/systemd/systemd/0025-journald-set-a-limit-on-the-number-of-fields-1k.patch
 rename meta/recipes-core/systemd/systemd/{0026-journal-remote-set-a-limit-on-the-number-of-fields-i.patch => 0025-journald-set-a-limit-on-the-number-of-fields.patch} (47%)
 create mode 100644 meta/recipes-core/systemd/systemd/0026-journal-fix-out-of-bounds-read-CVE-2018-16866.patch
 delete mode 100644 meta/recipes-core/systemd/systemd/0027-journal-fix-syslog_parse_identifier.patch
 delete mode 100644 meta/recipes-core/systemd/systemd/0028-journal-do-not-remove-multiple-spaces-after-identifi.patch
 create mode 100644 meta/recipes-core/systemd/systemd/CVE-2019-6454.patch
 create mode 100644 meta/recipes-core/systemd/systemd/sd-bus-if-we-receive-an-invalid-dbus-message-ignore-.patch
 delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0001-Fix-net-expose-sk-wmem-in-sock_exceed_buf_limit-trac.patch
 rename meta/recipes-kernel/lttng/{lttng-modules_2.10.7.bb => lttng-modules_2.10.9.bb} (85%)
 rename meta/recipes-kernel/lttng/{lttng-tools_2.9.5.bb => lttng-tools_2.9.11.bb} (97%)
 rename meta/recipes-kernel/lttng/{lttng-ust_2.10.1.bb => lttng-ust_2.10.3.bb} (90%)
 create mode 100644 meta/recipes-multimedia/libpng/libpng/CVE-2019-7317.patch
 create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-19432.patch
 rename meta/recipes-support/ca-certificates/{ca-certificates_20180409.bb => ca-certificates_20190110.bb} (98%)

-- 
2.7.4

Re: [PATCH 00/26] thud patch review

[Martin Jansa]

[-- Attachment #1: Type: text/plain, Size: 864 bytes --]

On Mon, Mar 18, 2019 at 07:36:29PM -0700, Armin Kuster wrote:
> Responses should be made by Wed March 20th 22:00:00 UTC 2019
> 
> The following changes since commit f5a57e939e626a5b7c6de5b51799ca602ed355ed:
> 
>   mesa: ship /etc/drirc in mesa-megadriver (2019-03-05 22:24:13 +0000)
> 
> are available in the git repository at:
> 
>   git://git.yoctoproject.org/poky-contrib stable/thud-next
>   http://git.yoctoproject.org/cgit.cgi/poky-contrib/log/?h=stable/thud-next
> 
> Alexander Kanavin (1):
>   ca-certificates: upgrade 20180409 -> 20190110

This depends on openssl >= 1.1.1 since:
https://salsa.debian.org/debian/ca-certificates/commit/d5e425c8405448e5034d1e16ca52be6a10cb3334
some people might not use new openssl with thud.

More detail in:
http://lists.openembedded.org/pipermail/openembedded-core/2019-March/280234.html

Cheers,

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 201 bytes --]

Re: [PATCH 00/26] thud patch review

[Vincent Prince]

[-- Attachment #1: Type: text/plain, Size: 6296 bytes --]

Hi Armin,

Regarding target-sdk-provides-dummy: add more perl modules to avoid
populate_sdk failure patch, I had to complete it with following bbappend:

DUMMYPROVIDES_append = "\
    perl-module-warnings-register \
    perl-module-config \
    perl-module-overloading \
    perl-module-warnings \
    perl-module-file-temp \
"

Don't know if we should rework Chen Qi patch or create a new one.
By the way, can't we add every empty perl packages in dummy automatically?

Best regards,
Vincent

Le mar. 19 mars 2019 à 03:37, Armin Kuster <akuster808@gmail.com> a écrit :

> Responses should be made by Wed March 20th 22:00:00 UTC 2019
>
> The following changes since commit
> f5a57e939e626a5b7c6de5b51799ca602ed355ed:
>
>   mesa: ship /etc/drirc in mesa-megadriver (2019-03-05 22:24:13 +0000)
>
> are available in the git repository at:
>
>   git://git.yoctoproject.org/poky-contrib stable/thud-next
>
> http://git.yoctoproject.org/cgit.cgi/poky-contrib/log/?h=stable/thud-next
>
> Alexander Kanavin (1):
>   ca-certificates: upgrade 20180409 -> 20190110
>
> André Draszik (1):
>   systemd: RDEPENDS on util-linux-umount
>
> Changqing Li (1):
>   libsndfile1: Security fix CVE-2018-19432
>
> Chen Qi (1):
>   target-sdk-provides-dummy: add more perl modules to avoid populate_sdk
>     failure
>
> Douglas Royds (1):
>   libpam: libpamc is licensed under its own BSD-style licence
>
> George McCollister (1):
>   systemd: fix CVE-2019-6454
>
> Jonathan Rajotte-Julien (3):
>   lttng-ust: update to 2.10.3
>   lttng-modules: update to 2.10.9
>   lttng-tools: update to 2.9.11
>
> Mark Hatle (10):
>   gitsm.py: Fix when a submodule is defined, but not initialized
>   gitsm.py: Add support for alternative URL formats from submodule files
>   tests/fetch.py: Add alternative gitsm test case
>   gitsm.py: Optimize code and attempt to resolve locking issue
>   gitsm.py: revise unpack
>   gitsm.py: Rework the shallow fetcher and test case
>   gitsm.py: Refactor the functions and simplify the class
>   gitsm.py: Fix relative URLs
>   gitsmy.py: Fix unpack of submodules of submodules
>   gitsm: The fetcher did not process some recursive submodules properly.
>
> Ming Liu (1):
>   rm_work: sort the value of do_build dependencies
>
> Oleksandr Kravchuk (1):
>   target-sdk-provides-dummy: add perl-module-overload
>
> Richard Purdie (3):
>   target-sdk-provides-dummy: Extend to -dev and -src packages
>   systemd: Update recent CVE patches
>   kernel: Ensure an initramfs is added if configured
>
> Robert Yang (1):
>   send-error-report: Add --no-ssl to use http protocol
>
> Ross Burton (1):
>   libpng: fix CVE-2019-7317
>
>  bitbake/lib/bb/fetch2/gitsm.py                     | 253
> +++++++++------------
>  bitbake/lib/bb/tests/fetch.py                      |  70 +++++-
>  meta/classes/kernel.bbclass                        |   4 +-
>  meta/classes/rm_work.bbclass                       |   3 +-
>  .../recipes-core/meta/target-sdk-provides-dummy.bb |  14 ++
>  ...-not-store-the-iovec-entry-for-process-co.patch |   6 +-
>  ...ld-set-a-limit-on-the-number-of-fields-1k.patch |  56 -----
>  ...nald-set-a-limit-on-the-number-of-fields.patch} |  93 ++++++--
>  ...nal-fix-out-of-bounds-read-CVE-2018-16866.patch |  49 ++++
>  .../0027-journal-fix-syslog_parse_identifier.patch |  77 -------
>  ...not-remove-multiple-spaces-after-identifi.patch |  84 -------
>  .../systemd/systemd/CVE-2019-6454.patch            | 210 +++++++++++++++++
>  ...e-receive-an-invalid-dbus-message-ignore-.patch |  61 +++++
>  meta/recipes-core/systemd/systemd_239.bb           |  10 +-
>  meta/recipes-extended/pam/libpam_1.3.0.bb          |   4 +-
>  ...ose-sk-wmem-in-sock_exceed_buf_limit-trac.patch |  67 ------
>  ...g-modules_2.10.7.bb => lttng-modules_2.10.9.bb} |   5 +-
>  ...ow-multiple-attempts-to-connect-to-relayd.patch |  17 +-
>  ...{lttng-tools_2.9.5.bb => lttng-tools_2.9.11.bb} |   4 +-
>  .../{lttng-ust_2.10.1.bb => lttng-ust_2.10.3.bb}   |   4 +-
>  .../libpng/libpng/CVE-2019-7317.patch              |  20 ++
>  meta/recipes-multimedia/libpng/libpng_1.6.36.bb    |   3 +-
>  .../libsndfile/libsndfile1/CVE-2018-19432.patch    | 115 ++++++++++
>  .../libsndfile/libsndfile1_1.0.28.bb               |   1 +
>  ...tes_20180409.bb => ca-certificates_20190110.bb} |   2 +-
>  scripts/send-error-report                          |  11 +-
>  26 files changed, 758 insertions(+), 485 deletions(-)
>  delete mode 100644
> meta/recipes-core/systemd/systemd/0025-journald-set-a-limit-on-the-number-of-fields-1k.patch
>  rename
> meta/recipes-core/systemd/systemd/{0026-journal-remote-set-a-limit-on-the-number-of-fields-i.patch
> => 0025-journald-set-a-limit-on-the-number-of-fields.patch} (47%)
>  create mode 100644
> meta/recipes-core/systemd/systemd/0026-journal-fix-out-of-bounds-read-CVE-2018-16866.patch
>  delete mode 100644
> meta/recipes-core/systemd/systemd/0027-journal-fix-syslog_parse_identifier.patch
>  delete mode 100644
> meta/recipes-core/systemd/systemd/0028-journal-do-not-remove-multiple-spaces-after-identifi.patch
>  create mode 100644 meta/recipes-core/systemd/systemd/CVE-2019-6454.patch
>  create mode 100644
> meta/recipes-core/systemd/systemd/sd-bus-if-we-receive-an-invalid-dbus-message-ignore-.patch
>  delete mode 100644
> meta/recipes-kernel/lttng/lttng-modules/0001-Fix-net-expose-sk-wmem-in-sock_exceed_buf_limit-trac.patch
>  rename meta/recipes-kernel/lttng/{lttng-modules_2.10.7.bb =>
> lttng-modules_2.10.9.bb} (85%)
>  rename meta/recipes-kernel/lttng/{lttng-tools_2.9.5.bb =>
> lttng-tools_2.9.11.bb} (97%)
>  rename meta/recipes-kernel/lttng/{lttng-ust_2.10.1.bb =>
> lttng-ust_2.10.3.bb} (90%)
>  create mode 100644
> meta/recipes-multimedia/libpng/libpng/CVE-2019-7317.patch
>  create mode 100644
> meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-19432.patch
>  rename meta/recipes-support/ca-certificates/{ca-certificates_20180409.bb
> => ca-certificates_20190110.bb} (98%)
>
> --
> 2.7.4
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>

[-- Attachment #2: Type: text/html, Size: 9203 bytes --]

Re: [PATCH 00/26] thud patch review

[Alexander Kanavin]

The commit you refer to changes the dependency from 1.1.0 to 1.1.1, so ca-certificates currently in thud already needs 1.1.

Alex

> On 19 Mar 2019, at 9.55, Martin Jansa <martin.jansa@gmail.com> wrote:
> 
>> On Mon, Mar 18, 2019 at 07:36:29PM -0700, Armin Kuster wrote:
>> Responses should be made by Wed March 20th 22:00:00 UTC 2019
>> 
>> The following changes since commit f5a57e939e626a5b7c6de5b51799ca602ed355ed:
>> 
>>  mesa: ship /etc/drirc in mesa-megadriver (2019-03-05 22:24:13 +0000)
>> 
>> are available in the git repository at:
>> 
>>  git://git.yoctoproject.org/poky-contrib stable/thud-next
>>  http://git.yoctoproject.org/cgit.cgi/poky-contrib/log/?h=stable/thud-next
>> 
>> Alexander Kanavin (1):
>>  ca-certificates: upgrade 20180409 -> 20190110
> 
> This depends on openssl >= 1.1.1 since:
> https://salsa.debian.org/debian/ca-certificates/commit/d5e425c8405448e5034d1e16ca52be6a10cb3334
> some people might not use new openssl with thud.
> 
> More detail in:
> http://lists.openembedded.org/pipermail/openembedded-core/2019-March/280234.html
> 
> Cheers,
> -- 
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [PATCH 00/26] thud patch review

[Martin Jansa]

[-- Attachment #1: Type: text/plain, Size: 1486 bytes --]

On Tue, Mar 19, 2019 at 11:22:11AM +0100, Alexander Kanavin wrote:
> The commit you refer to changes the dependency from 1.1.0 to 1.1.1, so ca-certificates currently in thud already needs 1.1.
> 
> Alex
> 
> > On 19 Mar 2019, at 9.55, Martin Jansa <martin.jansa@gmail.com> wrote:
> > 
> >> On Mon, Mar 18, 2019 at 07:36:29PM -0700, Armin Kuster wrote:
> >> Responses should be made by Wed March 20th 22:00:00 UTC 2019
> >> 
> >> The following changes since commit f5a57e939e626a5b7c6de5b51799ca602ed355ed:
> >> 
> >>  mesa: ship /etc/drirc in mesa-megadriver (2019-03-05 22:24:13 +0000)
> >> 
> >> are available in the git repository at:
> >> 
> >>  git://git.yoctoproject.org/poky-contrib stable/thud-next
> >>  http://git.yoctoproject.org/cgit.cgi/poky-contrib/log/?h=stable/thud-next
> >> 
> >> Alexander Kanavin (1):
> >>  ca-certificates: upgrade 20180409 -> 20190110
> > 
> > This depends on openssl >= 1.1.1 since:
> > https://salsa.debian.org/debian/ca-certificates/commit/d5e425c8405448e5034d1e16ca52be6a10cb3334
> > some people might not use new openssl with thud.
> > 
> > More detail in:
> > http://lists.openembedded.org/pipermail/openembedded-core/2019-March/280234.html

hmm right
https://salsa.debian.org/debian/ca-certificates/commit/1bc87e0b41a04551a93d4e784e158b044c18792a
was already included in 20180409, another thing to work around when
upgrading to thud.

Cheers,

-- 
Martin 'JaMa' Jansa     jabber: Martin.Jansa@gmail.com

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 201 bytes --]

Re: [PATCH 00/26] thud patch review

[Alexander Kanavin]

Just to remind once more, all upstream support for OpenSSL 1.0.2 ceases in 9 months, so shipping products with it may not be the best idea.

Alex

> On 19 Mar 2019, at 11.40, Martin Jansa <martin.jansa@gmail.com> wrote:
> 
>> On Tue, Mar 19, 2019 at 11:22:11AM +0100, Alexander Kanavin wrote:
>> The commit you refer to changes the dependency from 1.1.0 to 1.1.1, so ca-certificates currently in thud already needs 1.1.
>> 
>> Alex
>> 
>>>> On 19 Mar 2019, at 9.55, Martin Jansa <martin.jansa@gmail.com> wrote:
>>>> 
>>>> On Mon, Mar 18, 2019 at 07:36:29PM -0700, Armin Kuster wrote:
>>>> Responses should be made by Wed March 20th 22:00:00 UTC 2019
>>>> 
>>>> The following changes since commit f5a57e939e626a5b7c6de5b51799ca602ed355ed:
>>>> 
>>>> mesa: ship /etc/drirc in mesa-megadriver (2019-03-05 22:24:13 +0000)
>>>> 
>>>> are available in the git repository at:
>>>> 
>>>> git://git.yoctoproject.org/poky-contrib stable/thud-next
>>>> http://git.yoctoproject.org/cgit.cgi/poky-contrib/log/?h=stable/thud-next
>>>> 
>>>> Alexander Kanavin (1):
>>>> ca-certificates: upgrade 20180409 -> 20190110
>>> 
>>> This depends on openssl >= 1.1.1 since:
>>> https://salsa.debian.org/debian/ca-certificates/commit/d5e425c8405448e5034d1e16ca52be6a10cb3334
>>> some people might not use new openssl with thud.
>>> 
>>> More detail in:
>>> http://lists.openembedded.org/pipermail/openembedded-core/2019-March/280234.html
> 
> hmm right
> https://salsa.debian.org/debian/ca-certificates/commit/1bc87e0b41a04551a93d4e784e158b044c18792a
> was already included in 20180409, another thing to work around when
> upgrading to thud.
> 
> Cheers,
> 
> -- 
> Martin 'JaMa' Jansa     jabber: Martin.Jansa@gmail.com

Re: [PATCH 00/26] thud patch review

[Martin Jansa]

[-- Attachment #1: Type: text/plain, Size: 998 bytes --]

On Tue, Mar 19, 2019 at 12:35:59PM +0100, Alexander Kanavin wrote:
> Just to remind once more, all upstream support for OpenSSL 1.0.2 ceases in 9 months, so shipping products with it may not be the best idea.

Just to remind once more, shipping products isn't as easy as building
the few recipes included in oe-core.

For example:
Believe it or not, some projects need to use old Qt 5.6 due to license
change in newer version and 5.6 doesn't support openssl 1.1,
backporting the necessary changes would violate the license as well.
Providing clean room re-implementation is also difficult, because there
aren't many other options how to implement this than how it was done in
newer qt already, see:

https://bugreports.qt.io/browse/QTBUG-71623
https://development.qt-project.narkive.com/RW4wxYXY/openssl-1-1-x-support-on-qt-5-6-5-9

Yes, it's not the best idea, but even backporting security fixes to old
openssl might be cheaper than buying commercial qt license...

Cheeers,

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 201 bytes --]

Re: [PATCH 00/26] thud patch review

[akuster808]

[-- Attachment #1.1: Type: text/plain, Size: 959 bytes --]



On 3/19/19 1:55 AM, Martin Jansa wrote:
> On Mon, Mar 18, 2019 at 07:36:29PM -0700, Armin Kuster wrote:
>> Responses should be made by Wed March 20th 22:00:00 UTC 2019
>>
>> The following changes since commit f5a57e939e626a5b7c6de5b51799ca602ed355ed:
>>
>>   mesa: ship /etc/drirc in mesa-megadriver (2019-03-05 22:24:13 +0000)
>>
>> are available in the git repository at:
>>
>>   git://git.yoctoproject.org/poky-contrib stable/thud-next
>>   http://git.yoctoproject.org/cgit.cgi/poky-contrib/log/?h=stable/thud-next
>>
>> Alexander Kanavin (1):
>>   ca-certificates: upgrade 20180409 -> 20190110
then this gets dropped
> This depends on openssl >= 1.1.1 since:
> https://salsa.debian.org/debian/ca-certificates/commit/d5e425c8405448e5034d1e16ca52be6a10cb3334
> some people might not use new openssl with thud.
>
> More detail in:
> http://lists.openembedded.org/pipermail/openembedded-core/2019-March/280234.html
>
> Cheers,



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: [PATCH 00/26] thud patch review

[Alexander Kanavin]

Nope, we determined that it’s actually ok.

Alex

> On 19 Mar 2019, at 15.52, akuster808 <akuster808@gmail.com> wrote:
> 
> 
> 
>> On 3/19/19 1:55 AM, Martin Jansa wrote:
>>> On Mon, Mar 18, 2019 at 07:36:29PM -0700, Armin Kuster wrote:
>>> Responses should be made by Wed March 20th 22:00:00 UTC 2019
>>> 
>>> The following changes since commit f5a57e939e626a5b7c6de5b51799ca602ed355ed:
>>> 
>>>  mesa: ship /etc/drirc in mesa-megadriver (2019-03-05 22:24:13 +0000)
>>> 
>>> are available in the git repository at:
>>> 
>>>  git://git.yoctoproject.org/poky-contrib stable/thud-next
>>>  http://git.yoctoproject.org/cgit.cgi/poky-contrib/log/?h=stable/thud-next
>>> 
>>> Alexander Kanavin (1):
>>>  ca-certificates: upgrade 20180409 -> 20190110
> then this gets dropped
>> This depends on openssl >= 1.1.1 since:
>> https://salsa.debian.org/debian/ca-certificates/commit/d5e425c8405448e5034d1e16ca52be6a10cb3334
>> some people might not use new openssl with thud.
>> 
>> More detail in:
>> http://lists.openembedded.org/pipermail/openembedded-core/2019-March/280234.html
>> 
>> Cheers,
> 
> 
> -- 
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [PATCH 00/26] thud patch review

[Alexander Kanavin]

[-- Attachment #1: Type: text/plain, Size: 1438 bytes --]

For what it’s worth, OpenSSL is also being relicensed to Apache 2.0, so backporting their fixes may not be an option either. 
https://license.openssl.org/

Please be careful with your language: I’m sure you know that recipe maintenance is a tedious, thankless task. Having it belittled doesn’t help.

Alex

> On 19 Mar 2019, at 14.55, Martin Jansa <martin.jansa@gmail.com> wrote:
> 
>> On Tue, Mar 19, 2019 at 12:35:59PM +0100, Alexander Kanavin wrote:
>> Just to remind once more, all upstream support for OpenSSL 1.0.2 ceases in 9 months, so shipping products with it may not be the best idea.
> 
> Just to remind once more, shipping products isn't as easy as building
> the few recipes included in oe-core.
> 
> For example:
> Believe it or not, some projects need to use old Qt 5.6 due to license
> change in newer version and 5.6 doesn't support openssl 1.1,
> backporting the necessary changes would violate the license as well.
> Providing clean room re-implementation is also difficult, because there
> aren't many other options how to implement this than how it was done in
> newer qt already, see:
> 
> https://bugreports.qt.io/browse/QTBUG-71623
> https://development.qt-project.narkive.com/RW4wxYXY/openssl-1-1-x-support-on-qt-5-6-5-9
> 
> Yes, it's not the best idea, but even backporting security fixes to old
> openssl might be cheaper than buying commercial qt license...
> 
> Cheeers,

[-- Attachment #2: Type: text/html, Size: 2280 bytes --]

Re: [PATCH 00/26] thud patch review

[Martin Jansa]

[-- Attachment #1: Type: text/plain, Size: 3106 bytes --]

On Tue, Mar 19, 2019 at 05:31:52PM +0100, Alexander Kanavin wrote:
> For what it’s worth, OpenSSL is also being relicensed to Apache 2.0, so backporting their fixes may not be an option either. 
> https://license.openssl.org/
> 
> Please be careful with your language: I’m sure you know that recipe maintenance is a tedious, thankless task. Having it belittled doesn’t help.

I'm sorry, I don't want to belittle the recipe maintenance task.

I'm just saying that using OE to build commercial products is another
level of complexity and if we as a project ignore the issues companies
might have while upgrading to newer OE releases, then we shouldn't be
surprised that there are too many products built with really ancient and
unsupported OE releases.

I'm not recommending to anyone to use openssl10 forever, I've replied to
this thread mostly to warn other people (who might be in the same hole
with openssl10) that this is another pain point and suggested possible
way how to work around it.

More commercial users closer to master might also help with lack of
resources, upstreaming something from danny based build to master is
much less likely to happen than from e.g. thud. Having a bit easier
upgrade paths or at least a bit sympathy for people having troubles
persuading management that spending a lot of time and money to rebuild
all native apps, just to get newer build system (which no customer will
ever notice in the end product) might help as well.

With app store filled by native apps from 3rd party companies and
required backward compatibility with older products, the stable ABI
might be more important for some people than latest, greatest versions
and we shouldn't ignore such use-cases for OE (or at least not assume
that nobody needs openssl10 just because oe-core recipes can already
build without it).

Cheers,

> > On 19 Mar 2019, at 14.55, Martin Jansa <martin.jansa@gmail.com> wrote:
> > 
> >> On Tue, Mar 19, 2019 at 12:35:59PM +0100, Alexander Kanavin wrote:
> >> Just to remind once more, all upstream support for OpenSSL 1.0.2 ceases in 9 months, so shipping products with it may not be the best idea.
> > 
> > Just to remind once more, shipping products isn't as easy as building
> > the few recipes included in oe-core.
> > 
> > For example:
> > Believe it or not, some projects need to use old Qt 5.6 due to license
> > change in newer version and 5.6 doesn't support openssl 1.1,
> > backporting the necessary changes would violate the license as well.
> > Providing clean room re-implementation is also difficult, because there
> > aren't many other options how to implement this than how it was done in
> > newer qt already, see:
> > 
> > https://bugreports.qt.io/browse/QTBUG-71623
> > https://development.qt-project.narkive.com/RW4wxYXY/openssl-1-1-x-support-on-qt-5-6-5-9
> > 
> > Yes, it's not the best idea, but even backporting security fixes to old
> > openssl might be cheaper than buying commercial qt license...
> > 
> > Cheeers,

-- 
Martin 'JaMa' Jansa     jabber: Martin.Jansa@gmail.com

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 201 bytes --]