Re: Update minimum SSL version

Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com> writes:
> On 2019-12-04 13:53, Tom Lane wrote:
>> So, what exactly are we going to set as the new minimum version in
>> each case? I'll have to go update my trailing-edge-Johnnie buildfarm
>> critters, and it'd make sense to have them continue to test the
>> oldest nominally-supported versions.
>>
>> For OpenSSL it seems like 1.0.1a is the target, per the above
>> discussion.
>>
>> For Python, I'll just observe that RHEL6 ships 2.6.6, so we can't
>> bump up to 2.7.

> Yes, it would be Python 2.6.

So the upshot, after a fair amount of hair-pulling, is

* Somebody maybe should be testing openssl 1.0.1, but it won't be
me, because neither 1.0.1 nor 1.0.1a will even build on non-Intel
platforms. After closer study of their release notes, I've settled
on 1.0.1e as being the best compromise between being old and not
having unreasonable teething pains. (I wonder how coincidental
it is that that's also what Red Hat is now shipping in RHEL6.)
I've successfully installed 1.0.1e on prairiedog and gaur, so
I can flip them to start building HEAD with that whenever we
break compatibility with 0.9.8.

* Python 2.6.x also suffered from an unreasonable amount of
teething pains --- 2.6.2 is the oldest version that seems
to know how to build a shared library on Darwin. I've now
got a reasonably functional 2.6 on gaur and 2.6.2 on prairiedog,
and again will adjust those buildfarm members to use those
installations when/if our support for their current versions
goes away.

regards, tom lane