openssl_1_1 is going to be marked as insecure/dropped #231

jtojnar · 2023-05-12T17:34:29Z

Similar to #78, we might need to backport OpenSSL 3 compatibility patches (if possible).

ajs124 · 2023-05-19T15:44:03Z

it's marked as insecure now. drop pending, but probably still a few months ahead.

drupol · 2023-06-04T19:14:22Z

How are we going to tackle this thing in here?

jtojnar · 2023-06-04T19:17:16Z

In the short term, overriding the meta is probably the easiest.

drupol · 2023-06-04T19:18:35Z

And marking ~~the package as insecure~~ adding meta.knownVulnerabilities ? If yes, which vulnerability ?

aanderse · 2023-06-04T19:23:44Z

I'm also interested in resolution to this.

jtojnar · 2023-06-04T19:33:10Z

And marking ~~the package as insecure~~ adding meta.knownVulnerabilities ? If yes, which vulnerability ?

Nixpkgs does that. So we would need to do the opposite – removing meta.knownVulnerabilities.

drupol · 2023-06-04T19:33:31Z

Oooh. Ok.

drupol · 2023-06-04T19:41:43Z

Your eyes here : #237

jtojnar · 2023-06-05T15:09:49Z

We still need to deal with this once the package is removed. Ideally, we would patch PHP to use OpenSSL 3.

drupol mentioned this issue Jun 4, 2023

php: remove meta.knownVulnerabilities #237

Merged

2 tasks

drupol closed this as completed Jun 5, 2023

jtojnar reopened this Jun 5, 2023

Provide feedback