Homebrew / homebrew-core

🍻 Default formulae for the missing package manager for macOS (or Linux)
https://brew.sh
BSD 2-Clause "Simplified" License
13.74k stars 12.43k forks source link

Migrate formulae to `openssl@3` #134251

Closed carlocab closed 1 year ago

carlocab commented 1 year ago

I'm opening this issue to track progress on the migration to OpenSSL 3, since OpenSSL 1.1 wil be EOL relatively soon. This also serves as a call for help with this migration.

Below is a list of formulae that need to be migrated to openssl@3. If you'd like to help out, please open a pull request that targets the openssl-migration-staging branch that updates one of the formulae listed below to use openssl@3 instead of openssl@1.1.

If you encounter brew audit failures, then it is possible that either:

  1. Your pull request does not target the openssl-migration-staging branch. Please close your pull request and open a new one that targets the right branch.
  2. The formula you are trying to migrate has a dependency that hasn't yet been migrated to use openssl@3 instead. Please open a pull request to migrate those dependencies first, and then rebase your original pull request against the openssl-migration-staging branch after your pull request migrating the relevant dependencies has been merged to openssl-migration-staging.
`openssl@1.1` dependents with linkage to `openssl@1.1`

- [x] afflib #134325 - [x] ansible #134326 - [x] ansible@7 #134395 - [x] apr-util #134274 - [ ] arangodb #134350 - [x] aria2 #134332 - [x] aws-elasticbeanstalk #134333 - [x] awscli #134335 - [x] azure-cli #134336 - [x] azure-storage-cpp #134337 - [x] berkeley-db #134276 - [x] biber #134351 - [x] bigloo #134352 - [x] borgbackup #134353 - [x] buku #134354 - [x] cargo-c #134293 - [x] cargo-edit #134363 - [x] cargo-outdated #134363 - [x] center-im #134367 - [x] certbot #134368 - [x] charm-tools #134447 - [x] clamav #134444 - [x] cnats #134459 - [x] condure #134461 - [x] coturn #134288 - [x] couchdb #134479 - [x] cpprestsdk #134337 - [x] crackpkcs #120363 - [x] credstash #134480 - [x] crystal-icr #134481 - [x] curl #134264 - [x] cyral-gimme-db-token #134482 - [x] cyrus-sasl #134289 - [x] davix #134433 - [x] dnsdist #134506 - [x] dnsperf #134508 - [x] dnsviz #134510 - [x] dog #119866 - [ ] dotnet #134587 - [ ] dotnet@6 #134593 - [x] dstack #134513 - [x] duplicity #134514 - [x] dvc #134617 - [x] ecflow-ui #134523 - [x] efl #134524 - [x] ejabberd #134525 - [x] emqx #134526 - [x] erlang #134273 - [x] erlang@23 #134527 - [x] esptool #134528 - [ ] ettercap #134529 - [x] fabric #134530 - [x] fastnetmon #134560 - [x] fbthrift #134474 - [x] fdroidserver #134531 - [x] fizz #134474 - [x] flintrock #134532 - [x] folly #134474 - [x] freeradius-server #134533 - [x] freeswitch #134714 - [x] freetds #134277 - [ ] gambit-scheme #133524 - [x] gdcm #134534 - [ ] gerbil-scheme #133524 - [x] getdns #134535 - [x] gimme-aws-creds #134536 - [x] git #134473 - [x] git-series #134476 - [x] gkrellm #134537 - [x] glib-openssl #134489 - [x] gpac #134426 - [x] groonga #134275 - [x] grpc #134396 - [x] gstreamer #134281 - [x] gwenhywfar #134401 - [x] h2o #134291 - [x] hashpump #134538 - [x] hatch #134539 - [x] heimdal #134446 - [x] howdoi #134540 - [x] httpd #134290 - [x] hydra #134541 - [x] icecast #134542 - [x] irssi #134545 - [x] keyring #134546 - [x] krb5 #134259 - [x] lanraragi #134547 - [x] lasso #134548 - [x] lastpass-cli #134549 - [x] ldapvi #134550 - [x] ldns #134299 - [x] libcouchbase #134552 - [x] libevent #134257 - [x] libewf #134424 - [x] libfido2 #134284 - [x] libfixbuf #134423 - [x] libfreefare #134297 - [x] libimobiledevice #134385 - [x] liboauth #134478 - [x] libpq #134259 - [x] librdkafka #134361 - [x] libshout #134281 - [x] libssh #134286 - [x] libssh2 #134264 - [x] libstrophe #134302 - [x] libtorrent-rasterbar #134566 - [x] libxmlsec1 #134377 - [x] libzip #134263 - [x] lighttpd #134516 - [x] localstack #134512 - [ ] luvit #134484 - [x] magic-wormhole #134518 - [x] makepkg #134517 - [x] manticoresearch #134551 - [x] mariadb #134339 - [x] mariadb-connector-c #134339 - [x] mariadb@10.10 #134339 - [x] mariadb@10.11 #134339 - [x] mariadb@10.4 #134675 - [x] mariadb@10.5 #134339 - [x] mariadb@10.6 #134339 - [x] mariadb@10.9 #134339 - [x] mathlibtools #134554 - [x] megatools #134555 - [x] mfterm #134519 - [x] micromamba #134556 - [x] mitmproxy #134520 - [x] molecule #134521 - [x] monero #134462 - [x] mongo-c-driver #134560 - [x] monkeysphere #134557 - [x] mosquitto #134378 - [x] mupdf #134558 - [x] mutt #134559 - [x] mycli #134486 - [x] mysql #134289 - [x] mysql-client #134289 - [ ] mysql-client@5.7 #134568 - [x] mysql-connector-c++ #134515 - [ ] mysql@5.7 :x: not compatible with OpenSSL 3, EOL soon after OpenSSL 1.1 - [x] neomutt #134563 - [x] net-snmp #134418 - [x] nmap #134383 - [x] nmh #134357 - [x] node #134256 - [x] node@16 #134564 - [x] node@18 #134296 - [x] nsd #134467 - [x] nut #134565 - [x] onlykey-agent #134569 - [x] openiked #134570 - [x] openldap #134264 - [x] openrct2 #134571 - [x] openssh #134721 - [x] opusfile #134285 - [x] osc #134572 - [x] passenger #134573 - [x] percona-server #134300 - [x] pgbouncer #134574 - [x] php #134267 - [x] php@8.1 #134575 - [x] poac #134576 - [x] postgresql@11 #134610 - [x] postgresql@12 #134611 - [x] postgresql@13 #134612 - [x] postgresql@14 #134294 - [x] postgresql@15 #134614 - [x] prowler #134577 - [x] pulseaudio #134270 - [x] pure-ftpd #134578 - [x] pwntools #134580 - [x] pypy #134409 - [x] pypy3 #134715 - [x] python@3.10 #134258 - [x] python@3.11 #134255 - [x] python@3.8 #134358 - [x] python@3.9 #134265 - [x] qpdf #134417 - [x] qpid-proton #134581 - [x] qt #134262 - [x] redis #134287 - [x] retdec #134582 - [x] rethinkdb #134583 - [x] robot-framework #134584 - [x] rtmpdump #134264 - [x] ruby #134268 - [x] s3-backer #134585 - [x] sapling #134588 - [x] shairport-sync #134589 - [x] sheldon #134590 - [x] sile #134591 - [x] snownews #134592 - [x] sofia-sip #134442 - [x] spice-gtk #134441 - [ ] spotify-tui #134594 - [x] spotify_player #134595 - [x] sproxy #134596 - [x] srt #134272 - [x] srtp #134282 - [x] ssh-permit-a38 #120366 - [x] sslsplit #134598 - [ ] sslyze #134599 - [x] sstp-client #134600 - [x] subversion #134382 - [x] svtplay-dl #134511 - [x] sylpheed #134601 - [x] sysdig #134602 - [x] syslog-ng #134560 - [x] systemd #134261 - [x] tarsnap #134416 - [x] tcl-tk #134269 - [x] tectonic #134603 - [x] texlive #134419 - [x] thrift #134376 - [x] tor #134392 - [x] transmission-cli #134604 - [x] ttyd #134378 - [x] unbound #134271 - [x] upscaledb #134605 - [x] uwsgi #134606 - [x] w3m #134357 - [x] wangle #134474 - [x] watchman #134474 - [x] wownero #134460 - [x] xml-security-c #134410 - [x] xml-tooling-c #134410 - [x] xrootd #134607 - [x] yara #134411 - [x] ykman #134608 - [x] zeek #134450 - [x] znc #134464 - [x] zookeeper #134334

The following formulae have an openssl@1.1 dependency, but they have no linkage with openssl@1.1 on Linux. A few thoughts on how you might handle these:

Dependents of `openssl@1.1` with no linkage

- [ ] abricate #134408 - [x] ansible@2.8 ❌ disabled - [x] ansible@2.9 ❌ disabled - [x] ansible@6 #116476 - [x] apache-arrow #134376 - [x] appscale-tools ❌ disabled - [x] awslogs #134783 - [x] awsume #134784 - [x] breezy #134449 - [x] cadaver #134790 - [x] cargo-deny #134463 - [x] cargo-release #134463 - [x] cargo-udeps #134657 - [x] conan #134810 - [x] conan@1 #134811 - [x] cryfs #134812 - [x] crystal #134362 - [x] dzr #134813 - [x] eralchemy #134814 - [x] erlang@21 ❌ disabled - [x] erlang@22 #134816 - [x] etcd-cpp-apiv3 #134817 - [x] fb303 #134474 - [x] gammu #134818 - [x] got #134380 - [x] grpc@1.54 #134301 - [x] hurl #134643 - [x] innotop #134819 - [x] ios-webkit-debug-proxy #134791 - [x] libcouchbase@2 #134820 - [ ] libdap #134821 - [x] libevhtp ❌ disabled - [x] libsignal-protocol-c #134823 - [x] libslax #134824 - [x] libtrace #134422 - [x] libvnc ❌ disabled - [x] libwebsockets #134378 - [x] libzdb #134826 - [x] linode-cli #134800 - [x] mariadb-connector-odbc #134339 - [x] mariadb@10.2 ❌ disabled - [x] mariadb@10.3 ❌ disabled - [x] mariadb@10.7 ❌ disabled - [x] mariadb@10.8 #134609 - [x] mavsdk #134396 - [x] midnight-commander #134827 - [ ] minimal-racket #134636 - [ ] mono #134613 - [x] moto #134828 - [x] musikcube #134789 - [x] mydumper #134829 - [x] mysql@5.6 ❌ disabled - [x] mytop #134971 - [x] neko #134831 - [x] neon #134292 - [x] nginx #134616 - [x] node@14 #123650 - [x] opensaml #134410 - [x] openstackclient #134832 - [x] overdrive #134809 - [x] percona-toolkit #134300 - [x] percona-xtrabackup #134300 - [x] pgcli #134619 - [x] pgloader #134620 - [x] php@7.4 ❌ disabled - [x] php@8.0 #134833 - [x] postgresql@10 #134834 - [x] postgresql@9.4 ❌ disabled - [x] postgresql@9.5 ❌ disabled - [x] profanity #134835 - [ ] psqlodbc #134836 - [x] python@3.7 ❌ disabled - [x] pytorch #130487 - [ ] root #134838 - [x] rtags #134839 - [x] ruby@2.4 ❌ disabled - [x] ruby@2.5 ❌ disabled - [x] ruby@2.6 ❌ disabled - [ ] ruby@2.7 #134420 - [x] ruby@3.0 #134430 - [x] s3ql #134840 - [x] salt #134852 - [x] samba #134842 - [x] sane-backends #134439 - [x] shibboleth-sp #134410 - [x] solana #134843 - [x] spdylay ❌ disabled - [x] sphinx ##134658 - [x] subversion@1.8 ❌ disabled - [x] sysbench #134844 - [x] telegram-cli ❌ disabled - [x] termius #134845 - [x] thrift@0.9 #134846 - [x] tiny-fugue #134847 - [x] tremor-runtime #134848 - [x] vineyard #134849 - [x] wdc #134850 - [ ] web100clt #134851 - [x] xmount #134424

These formulae have no openssl@1.1 dependency, but have linkage with openssl@1.1 (on Linux). These will have to be handled on a case-by-case basis, but some of my comments regarding the previous category might apply here too. But we will want to persuade these formulae to use openssl@3 instead.

Details

- [x] amber #134388 - [x] aws-google-auth #134742 - [ ] aws-sam-cli #134739 - [x] aws-sdk-cpp #134376 - [x] awscurl #134640 - [x] btfs #134566 - [x] charmcraft #134641 - [x] citus #134381 - [x] cmusfm #134660 - [x] cups #134638 - [x] ddclient #134639 - [x] dxpy #134661 - [x] esphome #134662 - [x] fb-client #134664 - [x] gdal #134428 - [x] get_iplayer #134913 - [ ] hadoop #134914 - [x] htslib #134915 - [x] imapsync #134916 - [x] jrnl #134665 - [x] keepkey-agent #134666 - [x] lexicon #134667 - [x] libgit2 #134293 - [x] libgit2@1.5 #134463 - [x] licensed #134782 - [x] memcached #134743 - [x] metview #134679 - [x] ntopng #134744 - [x] nvchecker #134917 - [x] oci-cli #134745 - [x] ocrmypdf #134417 - [x] pam-u2f #134746 - [x] pdal #134428 - [x] pocsuite3 #134747 - [x] rizin #134923 - [x] rtl_433 #134897 - [x] rustup-init #134363 - [x] sgr #134748 - [ ] snapcraft #134749 - [x] trezor-agent #134750 - [x] volatility #134411 - [x] x3270 #134918 - [x] yafc #134751 - [x] zurl #134919

Bo98 commented 1 year ago

To clarify, are we still doing this "top-down"? I ask because otherwise the dependencies listed in the tab may list both OpenSSL versions.

carlocab commented 1 year ago

Yes, we are. brew audit <formula> should still catch recursive dependency conflicts (except on Linux).

Bo98 commented 1 year ago

Great, thanks! It wasn't clear to me which audit we were skipping here.

carlocab commented 1 year ago

The recursive dep conflict check is now skipped only when doing brew audit --tap, and only for PRs that target openssl-migration-staging.

carlocab commented 1 year ago

For reference, there is a list of dependents of openssl@1.1 sorted according to the number of dependents they have here. It may be useful to go from the top of that list going down. (But it's not exactly a topological sort, so that order isn't 100% correct.)

p-linnane commented 1 year ago

ansible@2.6 and ansible@2.7 no longer exist. I'll strike them out.

fel1x-developer commented 1 year ago

Can someone add mariadb-connector-odbc on the list?

p-linnane commented 1 year ago

Can someone add mariadb-connector-odbc on the list?

Done.

fel1x-developer commented 1 year ago

glib-openssl is deprecated in 2019 and does not support OpenSSL 3. We should remove or cross it out from the list.

https://github.com/Homebrew/homebrew-core/pull/134489

fel1x-developer commented 1 year ago

Like mariadb@10.4, mariadb@10.2 and mariadb@10.3 in the second list don't support OpenSSL 3 either.

fel1x-developer commented 1 year ago

ansible@2.8 and ansible@2.9 should be removed from the list because it became disabled.

fel1x-developer commented 1 year ago

subversion@1.8 has been disabled since 2022-10-19 since it does not build anymore. Can someone strike out subversion@1.8 from the list?

fel1x-developer commented 1 year ago

dog has been deprecated in 104c6e5044d610266533673e364378e13ecc4881 for openssl@3. dog should be removed from the list.

fel1x-developer commented 1 year ago

https://nodejs.org/en/blog/vulnerability/openssl-november-2022

Node.js v17.x, v18.x, and v19.x use OpenSSL v3. Node.js v18.x and v19.x will be updated to address this issue. Support for Node.js v17.x ended in June 2022. It will not be updated. Please migrate to a supported version of Node.js. Node.js 14.x and v16.x are not affected by this OpenSSL update.

node@14 and node@16 don't support openssl@3.

fel1x-developer commented 1 year ago

Following PRs are not on the list. Can someone add them please?

https://github.com/Homebrew/homebrew-core/pull/134658 https://github.com/Homebrew/homebrew-core/pull/134613 https://github.com/Homebrew/homebrew-core/pull/134620 https://github.com/Homebrew/homebrew-core/pull/134619 https://github.com/Homebrew/homebrew-core/pull/134616

carlocab commented 1 year ago

Ok, once we've merged the following, I think the OpenSSL 3 migration is ready to 🚢:

There are still a number of outstanding PRs, but I don't consider any of them significant enough to block #134260.

CC @Homebrew/core for thoughts.

p-linnane commented 1 year ago

This is a huge win, especially in such a short time frame. :shipit:

carlocab commented 1 year ago

Thanks everyone for the help!

limingxinleo commented 1 year ago

When I use ssh with openssl@3

The command will cause CPU 100%, when I change the shell window.

carlocab commented 1 year ago

Please open a new issue instead of commenting on closed ones.

carlocab commented 1 year ago

I opened #135527 to track the remaining stragglers.