Closed carlocab closed 1 year ago
To clarify, are we still doing this "top-down"? I ask because otherwise the dependencies listed in the tab may list both OpenSSL versions.
Yes, we are. brew audit <formula>
should still catch recursive dependency conflicts (except on Linux).
Great, thanks! It wasn't clear to me which audit we were skipping here.
The recursive dep conflict check is now skipped only when doing brew audit --tap
, and only for PRs that target openssl-migration-staging
.
For reference, there is a list of dependents of openssl@1.1
sorted according to the number of dependents they have here. It may be useful to go from the top of that list going down. (But it's not exactly a topological sort, so that order isn't 100% correct.)
ansible@2.6
and ansible@2.7
no longer exist. I'll strike them out.
Can someone add mariadb-connector-odbc
on the list?
Can someone add mariadb-connector-odbc on the list?
Done.
glib-openssl
is deprecated in 2019 and does not support OpenSSL 3. We should remove or cross it out from the list.
Like mariadb@10.4
, mariadb@10.2
and mariadb@10.3
in the second list don't support OpenSSL 3 either.
ansible@2.8
and ansible@2.9
should be removed from the list because it became disabled
.
subversion@1.8
has been disabled since 2022-10-19 since it does not build anymore. Can someone strike out subversion@1.8
from the list?
dog
has been deprecated in 104c6e5044d610266533673e364378e13ecc4881 for openssl@3
. dog
should be removed from the list.
https://nodejs.org/en/blog/vulnerability/openssl-november-2022
Node.js v17.x, v18.x, and v19.x use OpenSSL v3. Node.js v18.x and v19.x will be updated to address this issue. Support for Node.js v17.x ended in June 2022. It will not be updated. Please migrate to a supported version of Node.js. Node.js 14.x and v16.x are not affected by this OpenSSL update.
node@14
and node@16
don't support openssl@3
.
Following PRs are not on the list. Can someone add them please?
https://github.com/Homebrew/homebrew-core/pull/134658 https://github.com/Homebrew/homebrew-core/pull/134613 https://github.com/Homebrew/homebrew-core/pull/134620 https://github.com/Homebrew/homebrew-core/pull/134619 https://github.com/Homebrew/homebrew-core/pull/134616
Ok, once we've merged the following, I think the OpenSSL 3 migration is ready to 🚢:
There are still a number of outstanding PRs, but I don't consider any of them significant enough to block #134260.
CC @Homebrew/core for thoughts.
This is a huge win, especially in such a short time frame. :shipit:
Thanks everyone for the help!
When I use ssh with openssl@3
The command will cause CPU 100%, when I change the shell window.
Please open a new issue instead of commenting on closed ones.
I opened #135527 to track the remaining stragglers.
I'm opening this issue to track progress on the migration to OpenSSL 3, since OpenSSL 1.1 wil be EOL relatively soon. This also serves as a call for help with this migration.
Below is a list of formulae that need to be migrated to
openssl@3
. If you'd like to help out, please open a pull request that targets theopenssl-migration-staging
branch that updates one of the formulae listed below to useopenssl@3
instead ofopenssl@1.1
.If you encounter
brew audit
failures, then it is possible that either:openssl-migration-staging
branch. Please close your pull request and open a new one that targets the right branch.openssl@3
instead. Please open a pull request to migrate those dependencies first, and then rebase your original pull request against theopenssl-migration-staging
branch after your pull request migrating the relevant dependencies has been merged toopenssl-migration-staging
.`openssl@1.1` dependents with linkage to `openssl@1.1`
- [x] afflib #134325 - [x] ansible #134326 - [x] ansible@7 #134395 - [x] apr-util #134274 - [ ] arangodb #134350 - [x] aria2 #134332 - [x] aws-elasticbeanstalk #134333 - [x] awscli #134335 - [x] azure-cli #134336 - [x] azure-storage-cpp #134337 - [x] berkeley-db #134276 - [x] biber #134351 - [x] bigloo #134352 - [x] borgbackup #134353 - [x] buku #134354 - [x] cargo-c #134293 - [x] cargo-edit #134363 - [x] cargo-outdated #134363 - [x] center-im #134367 - [x] certbot #134368 - [x] charm-tools #134447 - [x] clamav #134444 - [x] cnats #134459 - [x] condure #134461 - [x] coturn #134288 - [x] couchdb #134479 - [x] cpprestsdk #134337 - [x] crackpkcs #120363 - [x] credstash #134480 - [x] crystal-icr #134481 - [x] curl #134264 - [x] cyral-gimme-db-token #134482 - [x] cyrus-sasl #134289 - [x] davix #134433 - [x] dnsdist #134506 - [x] dnsperf #134508 - [x] dnsviz #134510 - [x] dog #119866 - [ ] dotnet #134587 - [ ] dotnet@6 #134593 - [x] dstack #134513 - [x] duplicity #134514 - [x] dvc #134617 - [x] ecflow-ui #134523 - [x] efl #134524 - [x] ejabberd #134525 - [x] emqx #134526 - [x] erlang #134273 - [x] erlang@23 #134527 - [x] esptool #134528 - [ ] ettercap #134529 - [x] fabric #134530 - [x] fastnetmon #134560 - [x] fbthrift #134474 - [x] fdroidserver #134531 - [x] fizz #134474 - [x] flintrock #134532 - [x] folly #134474 - [x] freeradius-server #134533 - [x] freeswitch #134714 - [x] freetds #134277 - [ ] gambit-scheme #133524 - [x] gdcm #134534 - [ ] gerbil-scheme #133524 - [x] getdns #134535 - [x] gimme-aws-creds #134536 - [x] git #134473 - [x] git-series #134476 - [x] gkrellm #134537 - [x] glib-openssl #134489 - [x] gpac #134426 - [x] groonga #134275 - [x] grpc #134396 - [x] gstreamer #134281 - [x] gwenhywfar #134401 - [x] h2o #134291 - [x] hashpump #134538 - [x] hatch #134539 - [x] heimdal #134446 - [x] howdoi #134540 - [x] httpd #134290 - [x] hydra #134541 - [x] icecast #134542 - [x] irssi #134545 - [x] keyring #134546 - [x] krb5 #134259 - [x] lanraragi #134547 - [x] lasso #134548 - [x] lastpass-cli #134549 - [x] ldapvi #134550 - [x] ldns #134299 - [x] libcouchbase #134552 - [x] libevent #134257 - [x] libewf #134424 - [x] libfido2 #134284 - [x] libfixbuf #134423 - [x] libfreefare #134297 - [x] libimobiledevice #134385 - [x] liboauth #134478 - [x] libpq #134259 - [x] librdkafka #134361 - [x] libshout #134281 - [x] libssh #134286 - [x] libssh2 #134264 - [x] libstrophe #134302 - [x] libtorrent-rasterbar #134566 - [x] libxmlsec1 #134377 - [x] libzip #134263 - [x] lighttpd #134516 - [x] localstack #134512 - [ ] luvit #134484 - [x] magic-wormhole #134518 - [x] makepkg #134517 - [x] manticoresearch #134551 - [x] mariadb #134339 - [x] mariadb-connector-c #134339 - [x] mariadb@10.10 #134339 - [x] mariadb@10.11 #134339 - [x] mariadb@10.4 #134675 - [x] mariadb@10.5 #134339 - [x] mariadb@10.6 #134339 - [x] mariadb@10.9 #134339 - [x] mathlibtools #134554 - [x] megatools #134555 - [x] mfterm #134519 - [x] micromamba #134556 - [x] mitmproxy #134520 - [x] molecule #134521 - [x] monero #134462 - [x] mongo-c-driver #134560 - [x] monkeysphere #134557 - [x] mosquitto #134378 - [x] mupdf #134558 - [x] mutt #134559 - [x] mycli #134486 - [x] mysql #134289 - [x] mysql-client #134289 - [ ] mysql-client@5.7 #134568 - [x] mysql-connector-c++ #134515 - [ ] mysql@5.7 :x: not compatible with OpenSSL 3, EOL soon after OpenSSL 1.1 - [x] neomutt #134563 - [x] net-snmp #134418 - [x] nmap #134383 - [x] nmh #134357 - [x] node #134256 - [x] node@16 #134564 - [x] node@18 #134296 - [x] nsd #134467 - [x] nut #134565 - [x] onlykey-agent #134569 - [x] openiked #134570 - [x] openldap #134264 - [x] openrct2 #134571 - [x] openssh #134721 - [x] opusfile #134285 - [x] osc #134572 - [x] passenger #134573 - [x] percona-server #134300 - [x] pgbouncer #134574 - [x] php #134267 - [x] php@8.1 #134575 - [x] poac #134576 - [x] postgresql@11 #134610 - [x] postgresql@12 #134611 - [x] postgresql@13 #134612 - [x] postgresql@14 #134294 - [x] postgresql@15 #134614 - [x] prowler #134577 - [x] pulseaudio #134270 - [x] pure-ftpd #134578 - [x] pwntools #134580 - [x] pypy #134409 - [x] pypy3 #134715 - [x] python@3.10 #134258 - [x] python@3.11 #134255 - [x] python@3.8 #134358 - [x] python@3.9 #134265 - [x] qpdf #134417 - [x] qpid-proton #134581 - [x] qt #134262 - [x] redis #134287 - [x] retdec #134582 - [x] rethinkdb #134583 - [x] robot-framework #134584 - [x] rtmpdump #134264 - [x] ruby #134268 - [x] s3-backer #134585 - [x] sapling #134588 - [x] shairport-sync #134589 - [x] sheldon #134590 - [x] sile #134591 - [x] snownews #134592 - [x] sofia-sip #134442 - [x] spice-gtk #134441 - [ ] spotify-tui #134594 - [x] spotify_player #134595 - [x] sproxy #134596 - [x] srt #134272 - [x] srtp #134282 - [x] ssh-permit-a38 #120366 - [x] sslsplit #134598 - [ ] sslyze #134599 - [x] sstp-client #134600 - [x] subversion #134382 - [x] svtplay-dl #134511 - [x] sylpheed #134601 - [x] sysdig #134602 - [x] syslog-ng #134560 - [x] systemd #134261 - [x] tarsnap #134416 - [x] tcl-tk #134269 - [x] tectonic #134603 - [x] texlive #134419 - [x] thrift #134376 - [x] tor #134392 - [x] transmission-cli #134604 - [x] ttyd #134378 - [x] unbound #134271 - [x] upscaledb #134605 - [x] uwsgi #134606 - [x] w3m #134357 - [x] wangle #134474 - [x] watchman #134474 - [x] wownero #134460 - [x] xml-security-c #134410 - [x] xml-tooling-c #134410 - [x] xrootd #134607 - [x] yara #134411 - [x] ykman #134608 - [x] zeek #134450 - [x] znc #134464 - [x] zookeeper #134334
The following formulae have an
openssl@1.1
dependency, but they have no linkage withopenssl@1.1
on Linux. A few thoughts on how you might handle these:openssl@1.1
dependency can just be removed.openssl@3
). This is common for formulae that build using Rust. Please migrate the formula to useopenssl@3
and adjust the build so that it links with the newopenssl@3
dependency. In the case of formulae that use Rust, it may suffice to setOPENSSL_DIR
andOPENSSL_NO_VENDOR
. There are many examples of this in Homebrew/core. It may also be useful to update the test to catch future instances of mis-linkage.Dependents of `openssl@1.1` with no linkage
- [ ] abricate #134408 - [x] ansible@2.8 ❌ disabled - [x] ansible@2.9 ❌ disabled - [x] ansible@6 #116476 - [x] apache-arrow #134376 - [x] appscale-tools ❌ disabled - [x] awslogs #134783 - [x] awsume #134784 - [x] breezy #134449 - [x] cadaver #134790 - [x] cargo-deny #134463 - [x] cargo-release #134463 - [x] cargo-udeps #134657 - [x] conan #134810 - [x] conan@1 #134811 - [x] cryfs #134812 - [x] crystal #134362 - [x] dzr #134813 - [x] eralchemy #134814 - [x] erlang@21 ❌ disabled - [x] erlang@22 #134816 - [x] etcd-cpp-apiv3 #134817 - [x] fb303 #134474 - [x] gammu #134818 - [x] got #134380 - [x] grpc@1.54 #134301 - [x] hurl #134643 - [x] innotop #134819 - [x] ios-webkit-debug-proxy #134791 - [x] libcouchbase@2 #134820 - [ ] libdap #134821 - [x] libevhtp ❌ disabled - [x] libsignal-protocol-c #134823 - [x] libslax #134824 - [x] libtrace #134422 - [x] libvnc ❌ disabled - [x] libwebsockets #134378 - [x] libzdb #134826 - [x] linode-cli #134800 - [x] mariadb-connector-odbc #134339 - [x] mariadb@10.2 ❌ disabled - [x] mariadb@10.3 ❌ disabled - [x] mariadb@10.7 ❌ disabled - [x] mariadb@10.8 #134609 - [x] mavsdk #134396 - [x] midnight-commander #134827 - [ ] minimal-racket #134636 - [ ] mono #134613 - [x] moto #134828 - [x] musikcube #134789 - [x] mydumper #134829 - [x] mysql@5.6 ❌ disabled - [x] mytop #134971 - [x] neko #134831 - [x] neon #134292 - [x] nginx #134616 - [x] node@14 #123650 - [x] opensaml #134410 - [x] openstackclient #134832 - [x] overdrive #134809 - [x] percona-toolkit #134300 - [x] percona-xtrabackup #134300 - [x] pgcli #134619 - [x] pgloader #134620 - [x] php@7.4 ❌ disabled - [x] php@8.0 #134833 - [x] postgresql@10 #134834 - [x] postgresql@9.4 ❌ disabled - [x] postgresql@9.5 ❌ disabled - [x] profanity #134835 - [ ] psqlodbc #134836 - [x] python@3.7 ❌ disabled - [x] pytorch #130487 - [ ] root #134838 - [x] rtags #134839 - [x] ruby@2.4 ❌ disabled - [x] ruby@2.5 ❌ disabled - [x] ruby@2.6 ❌ disabled - [ ] ruby@2.7 #134420 - [x] ruby@3.0 #134430 - [x] s3ql #134840 - [x] salt #134852 - [x] samba #134842 - [x] sane-backends #134439 - [x] shibboleth-sp #134410 - [x] solana #134843 - [x] spdylay ❌ disabled - [x] sphinx ##134658 - [x] subversion@1.8 ❌ disabled - [x] sysbench #134844 - [x] telegram-cli ❌ disabled - [x] termius #134845 - [x] thrift@0.9 #134846 - [x] tiny-fugue #134847 - [x] tremor-runtime #134848 - [x] vineyard #134849 - [x] wdc #134850 - [ ] web100clt #134851 - [x] xmount #134424
These formulae have no
openssl@1.1
dependency, but have linkage withopenssl@1.1
(on Linux). These will have to be handled on a case-by-case basis, but some of my comments regarding the previous category might apply here too. But we will want to persuade these formulae to useopenssl@3
instead.Details
- [x] amber #134388 - [x] aws-google-auth #134742 - [ ] aws-sam-cli #134739 - [x] aws-sdk-cpp #134376 - [x] awscurl #134640 - [x] btfs #134566 - [x] charmcraft #134641 - [x] citus #134381 - [x] cmusfm #134660 - [x] cups #134638 - [x] ddclient #134639 - [x] dxpy #134661 - [x] esphome #134662 - [x] fb-client #134664 - [x] gdal #134428 - [x] get_iplayer #134913 - [ ] hadoop #134914 - [x] htslib #134915 - [x] imapsync #134916 - [x] jrnl #134665 - [x] keepkey-agent #134666 - [x] lexicon #134667 - [x] libgit2 #134293 - [x] libgit2@1.5 #134463 - [x] licensed #134782 - [x] memcached #134743 - [x] metview #134679 - [x] ntopng #134744 - [x] nvchecker #134917 - [x] oci-cli #134745 - [x] ocrmypdf #134417 - [x] pam-u2f #134746 - [x] pdal #134428 - [x] pocsuite3 #134747 - [x] rizin #134923 - [x] rtl_433 #134897 - [x] rustup-init #134363 - [x] sgr #134748 - [ ] snapcraft #134749 - [x] trezor-agent #134750 - [x] volatility #134411 - [x] x3270 #134918 - [x] yafc #134751 - [x] zurl #134919