OpenSSL 0.9.8/1.0.0 on Trunk

[William A Rowe Jr <wr...@rowe-clan.net>]

W.r.t. http://svn.apache.org/r1719967 - I'm +1 for the backport.
I'd like to propose we remove all support from *trunk* for OpenSSL < 1.0.1
effective now...

https://mta.openssl.org/pipermail/openssl-announce/2014-December/000000.html

We don't deprecate support on maintenance branches (e.g. 2.2/2.4),
because we seek to minimize the pain of moving from one subversion
release to another.  If someone wanted to hack a non-fatal warning for
the ./configure phase, that could be a worthwhile patch.

Re: OpenSSL 0.9.8/1.0.0 on Trunk

[William A Rowe Jr <wr...@rowe-clan.net>]

As an alternative, we can flag removing pre openssl 1.0.1 support as a
showstopper in STATUS and leave it be for a while longer to make backports
a bit easier.  Thoughts?
On Dec 14, 2015 12:35, "Ruediger Pluem" <rp...@apache.org> wrote:

>
>
> On 12/14/2015 07:15 PM, William A Rowe Jr wrote:
> > W.r.t. http://svn.apache.org/r1719967 - I'm +1 for the backport.
> > I'd like to propose we remove all support from *trunk* for OpenSSL <
> 1.0.1
> > effective now...
> >
> >
> https://mta.openssl.org/pipermail/openssl-announce/2014-December/000000.html
> >
> > We don't deprecate support on maintenance branches (e.g. 2.2/2.4),
> > because we seek to minimize the pain of moving from one subversion
> > release to another.  If someone wanted to hack a non-fatal warning for
> > the ./configure phase, that could be a worthwhile patch.
> >
> >
>
> +1
>
> Regards
>
> Rüdiger
>

Re: OpenSSL 0.9.8/1.0.0 on Trunk

[Ruediger Pluem <rp...@apache.org>]

On 12/14/2015 07:15 PM, William A Rowe Jr wrote:
> W.r.t. http://svn.apache.org/r1719967 - I'm +1 for the backport.
> I'd like to propose we remove all support from *trunk* for OpenSSL < 1.0.1
> effective now...
> 
> https://mta.openssl.org/pipermail/openssl-announce/2014-December/000000.html
> 
> We don't deprecate support on maintenance branches (e.g. 2.2/2.4),
> because we seek to minimize the pain of moving from one subversion
> release to another.  If someone wanted to hack a non-fatal warning for 
> the ./configure phase, that could be a worthwhile patch.
> 
> 

+1

Regards

Rüdiger

Re: OpenSSL 0.9.8/1.0.0 on Trunk

[Luca Toscano <to...@gmail.com>]

Hi all,

I am a bit new so sorry if this question is trivial. I noticed that the
httpd's doxygen documentation is regularly built in
https://ci.apache.org/builders, so I am wondering if we could build
everything in trunk (or all the supported branches) regularly after each
commit (getting a daily report of failures/warnings for example in this
ML). CentOS is missing among the list of supported testing environments but
it might be possible to add it asking to the buildbot owners.

I am probably missing some bits and pieces so if I am completely mistaken
please let me know! I'll try to update the related docs (like
https://httpd.apache.org/dev/ and /developer) for the newcomers like me :)

Thanks!

Luca


2015-12-22 6:30 GMT+01:00 Jacob Perkins <ja...@cpanel.net>:

> Hi Eric,
>
> I’m going to work on setting up a test system for all of our supported
> environments so that we can test our platform quicker and provide feedback
> during the T&R period.
>
> I’d love to try and give back to the project honestly. cPanel has used
> Apache in the core of our webstack for at least 10 years so it would be
> great if we could provide some extra eyes for testing releases, if not more.
>
> Sorry if I came across a little… crass. It’s been a long day.
> —
> Jacob Perkins
> Product Owner
> *cPanel Inc.*
>
> jacob.perkins@cpanel.net
> Office:  713-529-0800 x 4046
> Cell:  713-560-8655
>
> On Dec 21, 2015, at 5:20 PM, Eric Covener <co...@gmail.com> wrote:
>
> On Mon, Dec 21, 2015 at 2:38 PM, Jacob Perkins <ja...@cpanel.net>
> wrote:
>
> CentOS 5 still ships with OpenSSL 0.9.8, and is still supported for another
> year or so. Considering there’s a lot of servers still running CentOS 5
> (and
> possibly older), it feels as if this would have been caught.
>
>
> Do you mean could or should have been caught?
>
> It wasn't caught until someone compiled it against openssl < 0.9.8m
> (which is not the latest 0.9.8).  I can't see many scenarios where someone
> will compile a new 2.4.x release and not have a contemporary openssl --
> beyond trying to catch exactly these kinds of problems during a release.
>
> Especially something as small as a missing semicolon.
>
>
> Well, usually small problems are the ones that fly under the radar.
>    Anything
> catastrophic to the build will not go unnoticed, but someone has to build
> on the
> affected platform/compiler/prereqs/???.
>
> Would a linter / compile check to proactively check those things help?
>
>
> Dunno, possible.
>
>
>

Re: OpenSSL 0.9.8/1.0.0 on Trunk

[Jacob Perkins <ja...@cpanel.net>]

Hi Eric,

I’m going to work on setting up a test system for all of our supported environments so that we can test our platform quicker and provide feedback during the T&R period.

I’d love to try and give back to the project honestly. cPanel has used Apache in the core of our webstack for at least 10 years so it would be great if we could provide some extra eyes for testing releases, if not more.

Sorry if I came across a little… crass. It’s been a long day.
—
Jacob Perkins
Product Owner
cPanel Inc.

jacob.perkins@cpanel.net <ma...@cpanel.net>
Office:  713-529-0800 x 4046
Cell:  713-560-8655

> On Dec 21, 2015, at 5:20 PM, Eric Covener <co...@gmail.com> wrote:
> 
> On Mon, Dec 21, 2015 at 2:38 PM, Jacob Perkins <ja...@cpanel.net> wrote:
>> CentOS 5 still ships with OpenSSL 0.9.8, and is still supported for another
>> year or so. Considering there’s a lot of servers still running CentOS 5 (and
>> possibly older), it feels as if this would have been caught.
> 
> Do you mean could or should have been caught?
> 
> It wasn't caught until someone compiled it against openssl < 0.9.8m
> (which is not the latest 0.9.8).  I can't see many scenarios where someone
> will compile a new 2.4.x release and not have a contemporary openssl --
> beyond trying to catch exactly these kinds of problems during a release.
> 
>> Especially something as small as a missing semicolon.
> 
> Well, usually small problems are the ones that fly under the radar.    Anything
> catastrophic to the build will not go unnoticed, but someone has to build on the
> affected platform/compiler/prereqs/???.
> 
>> Would a linter / compile check to proactively check those things help?
> 
> Dunno, possible.

Re: OpenSSL 0.9.8/1.0.0 on Trunk

[Eric Covener <co...@gmail.com>]

On Mon, Dec 21, 2015 at 2:38 PM, Jacob Perkins <ja...@cpanel.net> wrote:
> CentOS 5 still ships with OpenSSL 0.9.8, and is still supported for another
> year or so. Considering there’s a lot of servers still running CentOS 5 (and
> possibly older), it feels as if this would have been caught.

Do you mean could or should have been caught?

It wasn't caught until someone compiled it against openssl < 0.9.8m
(which is not the latest 0.9.8).  I can't see many scenarios where someone
will compile a new 2.4.x release and not have a contemporary openssl --
beyond trying to catch exactly these kinds of problems during a release.

> Especially something as small as a missing semicolon.

Well, usually small problems are the ones that fly under the radar.    Anything
catastrophic to the build will not go unnoticed, but someone has to build on the
affected platform/compiler/prereqs/???.

> Would a linter / compile check to proactively check those things help?

Dunno, possible.

Re: OpenSSL 0.9.8/1.0.0 on Trunk

[Jacob Perkins <ja...@cpanel.net>]

CentOS 5 still ships with OpenSSL 0.9.8, and is still supported for another year or so. Considering there’s a lot of servers still running CentOS 5 (and possibly older), it feels as if this would have been caught. Especially something as small as a missing semicolon.

Would a linter / compile check to proactively check those things help?
—
Jacob Perkins
Product Owner
cPanel Inc.

jacob.perkins@cpanel.net <ma...@cpanel.net>
Office:  713-529-0800 x 4046
Cell:  713-560-8655

> On Dec 21, 2015, at 1:06 PM, Eric Covener <co...@gmail.com> wrote:
> 
> On Mon, Dec 21, 2015 at 1:48 PM, Jacob Perkins <ja...@cpanel.net> wrote:
>> This is kind of a show stopper here. I’m surprised something as major as
>> code not compiling was not caught before it was sent out.
> 
> This particular failure only occurs when compiling httpd against older
> levels of openssl 0.9.8.
> It's no surprise to me that none of the handful of people who test new
> release candidates test
> with contemporary levels of openssl that are actually fit for some use.

Re: OpenSSL 0.9.8/1.0.0 on Trunk

[Eric Covener <co...@gmail.com>]

On Mon, Dec 21, 2015 at 1:48 PM, Jacob Perkins <ja...@cpanel.net> wrote:
> This is kind of a show stopper here. I’m surprised something as major as
> code not compiling was not caught before it was sent out.

This particular failure only occurs when compiling httpd against older
levels of openssl 0.9.8.
It's no surprise to me that none of the handful of people who test new
release candidates test
with contemporary levels of openssl that are actually fit for some use.

Re: OpenSSL 0.9.8/1.0.0 on Trunk

[Jacob Perkins <ja...@cpanel.net>]

This is kind of a show stopper here. I’m surprised something as major as code not compiling was not caught before it was sent out.

—
Jacob Perkins
Product Owner
cPanel Inc.

jacob.perkins@cpanel.net <ma...@cpanel.net>
Office:  713-529-0800 x 4046
Cell:  713-560-8655

> On Dec 15, 2015, at 9:57 AM, Mike Rumph <mi...@oracle.com> wrote:
> 
> FYI.  Bug 58737 was just opened today for this error.
> 
> Thanks,
> 
> Mike
> 
> On 12/14/2015 10:15 AM, William A Rowe Jr wrote:
>> W.r.t. http://svn.apache.org/r1719967 - I'm +1 for the backport.
>> I'd like to propose we remove all support from *trunk* for OpenSSL < 1.0.1
>> effective now...
>> 
>> https://mta.openssl.org/pipermail/openssl-announce/2014-December/000000.html
>> 
>> We don't deprecate support on maintenance branches (e.g. 2.2/2.4),
>> because we seek to minimize the pain of moving from one subversion
>> release to another.  If someone wanted to hack a non-fatal warning for
>> the ./configure phase, that could be a worthwhile patch.
>> 
>> 
> 

Re: OpenSSL 0.9.8/1.0.0 on Trunk

[Mike Rumph <mi...@oracle.com>]

FYI.  Bug 58737 was just opened today for this error.

Thanks,

Mike

On 12/14/2015 10:15 AM, William A Rowe Jr wrote:
> W.r.t. http://svn.apache.org/r1719967 - I'm +1 for the backport.
> I'd like to propose we remove all support from *trunk* for OpenSSL < 1.0.1
> effective now...
>
> https://mta.openssl.org/pipermail/openssl-announce/2014-December/000000.html
>
> We don't deprecate support on maintenance branches (e.g. 2.2/2.4),
> because we seek to minimize the pain of moving from one subversion
> release to another.  If someone wanted to hack a non-fatal warning for
> the ./configure phase, that could be a worthwhile patch.
>
>