=== chris14_ is now known as chris14 | ||
teward | mdeslaur: and the rest of sec team, are you on the ubuntu-devel-discuss list? A question RE: OpenSSL versions came up and which to use, and i think that has security impact so wanting to make sure you all are on the list of people who get the message. | 15:06 |
---|---|---|
=== ebarretto_ is now known as ebarretto | ||
mdeslaur | teward: thanks, I answered already | 15:14 |
teward | mdeslaur: yep just saw your email come in thanks, wasn't sure if someone was already looking :) | 15:19 |
teward | mdeslaur: the last time I think OpenSSL got backported/SRU'd was for 3.0 or something no? It was some non-standard LTS-only special case IIRC and it was a while ago | 15:20 |
teward | and i do remember it caused some level of chaos. | 15:20 |
mdeslaur | there was bionic, but we had also attempted to do it other times without actually going through with it | 15:24 |
teward | yeah bionic is what i was thinking about | 15:29 |
teward | any changes to core things like OpenSSL or Python that touches a ton of core things is a nasty evil thing so :p | 15:29 |
teward | (python, perl, that kind of thing too) | 15:30 |
JanC | Python has the advantage that you can have multiple versions in parallel... | 15:30 |
teward | JanC: accurate, unless you do a stupid and try and switch out the 'newer' versions for the system installed libraries, in which case it blows up a lot of things in base installations | 15:33 |
teward | which too many end users do :\ | 15:33 |
teward | i personally leverage pyenv (https://github.com/pyenv/pyenv) to do userspace installs independent of system libs, but that's just me. | 15:34 |
teward | (i have python 3.8 through 3.11 on this system thanks to it xD) | 15:34 |
JanC | you can have multiple versions installed in parallel system-wide too, although only one can be 'python' at the same time, of course | 15:38 |
teward | true | 15:38 |
teward | JanC: but most of the things like add-apt-repository are built upon / dependent upon / assumed to always be on the default system installed python. | 15:38 |
JanC | I don't think OpenSSL supports that (upstream) | 15:38 |
teward | it doesn't but i was talking about python | 15:39 |
teward | just pulling an example of repo stuff being chaotic that way | 15:40 |
teward | because it torched someone's Lubuntu install :p | 15:40 |
teward | (they yanked out py 3.7 on the version they installed, installed py 3.10, and now have a ton of apt related errors) | 15:40 |
teward | apt / python* | 15:40 |
JanC | while they could just install it in parallel & use it as 'python3.10'... (or use some virtual/userspace environment instead) | 15:42 |
teward | which is what I always tell people :P | 15:43 |
JanC | maybe system tools should use/depend on explicit versions too? (too be more resilient) | 15:43 |
teward | the problem is, end users are a little annoying | 15:44 |
teward | and assume that because they can do somehting it's just going to work | 15:44 |
JanC | maybe distros could have a 'syspython', and have system tools use/depend on that or something :) | 15:49 |
teward | JanC: That's... actually a good idea, I should consider posting that on ubuntu-devel-discuss. | 15:57 |
mdeslaur | bionic has two different openssl version in it currently, both installable in parallel | 15:58 |
teward | mdeslaur: right, but that's unique to Bionic, right? | 15:59 |
mdeslaur | once in a while a release has two | 15:59 |
mdeslaur | trusty has two also | 15:59 |
JanC | so openssl upstream supports that, or only in some cases? (when the ABI version changes?) | 16:00 |
mdeslaur | we stuck it in an alternate directory | 16:01 |
mdeslaur | I don't think upstream supports it | 16:01 |
mdeslaur | actually, maybe the library name didn't actually conflict | 16:02 |
mdeslaur | ah yes, it was different major versions, so the library didn't conflict, we just had to move the tools to an alternate directory | 16:03 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!