Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

On Wed, May 24, 2023 at 11:03 PM Daniel Gustafsson <daniel(at)yesql(dot)se> wrote:
> > On 24 May 2023, at 11:52, Michael Paquier <michael(at)paquier(dot)xyz> wrote:
> > On Wed, May 24, 2023 at 11:36:56AM +0200, Daniel Gustafsson wrote:
> >> 1.0.2 is also an LTS version available commercially for premium support
> >> customers of OpenSSL (1.1.1 will become an LTS version as well), with 1.0.2zh
> >> slated for release next week. This raises the likelyhood of Postgres
> >> installations using 1.0.2 in production still, and for some time to come.
> >
> > Good point. Indeed, that makes it pretty clear that not dropping
> > 1.0.2 would be the best option for the time being, so 0001 would be
> > enough.
>
> I think thats the right move re 1.0.2 support. 1.0.2 is also the version in
> RHEL7 which is in ELS until 2026.

I don't mind either way if we rip out OpenSSL 1.0.2 support now or
later, other than a general feeling that cryptography must be about
the worst possible category of software to keep supporting for years
after it has been declared EOL.

But.. I don't like the idea that our *next* release's library version
horizon is controlled by Red Hat's "ELS" phase. The
yum.postgresql.org team aren't packaging 17 for RHEL7 AFAICS, which is
as it should be if you ask me, because the 10 year maintenance phase
ends before 17 will ship. These hypothetical users that want to run
an OS even older than that and don't know how to get modern crypto
libraries on it but insist on a shiny new PostgreSQL release and build
it from source because there are no packages available... don't exist?