[package] many: different requirements on openssl version (can cause problems)

[a4z]

today I run into an issue that libcurl required openssl/1.1.1g , but paho-mqtt-c/1.3.1 required openssl/1.1.1f this can give a not so positive user experience. I updated the paho-mqtt-c recipe and submitted a PR, but there are more such problems in the recipe catalog. the question is, for such an important and security relevant library like openssl, should there not be some auto update in place to a) have a consistent dependency tree b) do not ship old openssl version to users due to security reasons

please see below the list of openssl users

rg  openssl/1  recipes/ 
recipes/libmysqlclient/all/conanfile.py
29:            self.requires("openssl/1.1.1g")
recipes/cpprestsdk/all/conanfile.py
49:        self.requires("openssl/1.1.1g")
recipes/jwt-cpp/all/conanfile.py
21:        self.requires("openssl/1.1.1g")
recipes/poco/all/conanfile.py
120:            self.requires("openssl/1.1.1g")
recipes/wt/all/conanfile.py
65:            self.requires('openssl/1.1.1g')
recipes/folly/all/conanfile.py
26:        "openssl/1.1.1d",
recipes/cpp-httplib/all/conanfile.py
23:            self.requires("openssl/1.1.1g")
recipes/opusfile/all/conanfile.py
20:        "openssl/1.1.1d"
recipes/libtorrent/all/conanfile.py
66:            self.requires("openssl/1.1.1d")
recipes/ixwebsocket/all/conanfile.py
62:            self.requires.add("openssl/1.1.1e")
recipes/tgbot/all/conanfile.py
22:        "openssl/1.1.1d",
recipes/libgit2/all/conanfile.py
72:            self.requires("openssl/1.1.1g")
recipes/libgit2/0.27.x/conanfile.py
70:            self.requires("openssl/1.1.1d")
recipes/libevent/2.1.11/conanfile.py
40:            self.requires("openssl/1.1.1d")
recipes/libpq/all/conanfile.py
53:            self.requires.add("openssl/1.0.2s")
recipes/sqlcipher/all/conanfile.py
33:            self.requires("openssl/1.1.1d")
recipes/librhash/all/conanfile.py
50:            self.requires("openssl/1.1.1f")
recipes/libssh2/all/conanfile.py
52:            self.requires("openssl/1.1.1f")
recipes/cpp-jwt/all/conanfile.py
23:        self.requires("openssl/1.1.1d")
recipes/dcmtk/all/conanfile.py
81:            self.requires("openssl/1.0.2u")
recipes/paho-mqtt-c/all/conanfile.py
41:            self.requires("openssl/1.1.1g")
recipes/libnghttp2/all/conanfile.py
48:            self.requires.add("openssl/1.1.1d")
recipes/mysql-connector-c/all/conanfile.py
27:            self.requires.add("openssl/1.0.2u")
recipes/libcurl/all/conanfile.py
118:                self.requires("openssl/1.1.1g")
recipes/libarchive/all/conanfile.py
77:            self.requires.add("openssl/1.1.1d")
recipes/apr-util/all/conanfile.py
73:            self.requires("openssl/1.1.1g")
recipes/cpr/all/conanfile.py
49:            self.requires("openssl/1.1.1d")
recipes/simple-websocket-server/all/conanfile.py
16:        "openssl/1.1.1d",
recipes/websocketpp/all/conanfile.py
23:        self.requires("openssl/1.1.1g")
recipes/czmq/all/conanfile.py
45:        self.requires("openssl/1.1.1g")  # zdigest depends on openssl
recipes/amqp-cpp/all/conanfile.py
48:            self.requires.add("openssl/1.1.1d")
recipes/botan/all/conanfile.py
60:            self.requires("openssl/1.0.2t")

[a4z]

any progress, or feedback for me, no this issue ? (just asking because I just added again a lib that requires openssl and has of course, since it was updated most recent, the latest one while other recipes still are on the previous one)

[Croydon]

See https://github.com/conan-io/conan-center-index/issues/696 for upgrades

For a fast workaround for updates I would recommend to require OpenSSL directly in your conanfile to overwrite everything to the latest patch

[perseoGI]

Hi there! I'm closing this issue as recipes which depends on openssl have been updated to use version ranges so version conflicts should have been eradicated!

Happy coding 🐸