On 2021-01-04 21:37, Brian Inglis wrote:
On 2021-01-04 08:11, Marco Atzeri via Cygwin wrote:
On 04.01.2021 13:21, tommie.k...@alverservices.com wrote:
But im struggling to see how I can upgrade openssl >1.1.1f
Compliance checks state that we must have a more up to date version, I know
that it exists (1.1.1g, 1.1.1h, 1.1.1i)
https://cygwin.com/packages/summary/openssl.html
the last one available on cygwin is 1.1.1f
But I can only seem to upgrade to 1.1.1f in Cygwin - is there a new upgrade
package for Cygwin/Openssl coming in the near future?
It will depends on the maintainer (Corinna) availability.
Maybe after the holiday season
What are your compliance timing constraints in terms of releases and time?
I see Cygwin openssl is now 3 versions and 9 months behind the latest.
If you have a compliance timing issue, your organization will have to take
responsibility for meeting your compliance needs, either by having staff or
contracting others to meet those needs, by building packages more up to date
than those available from the distros you use.
All recent, and certainly all important, Cygwin packages use the common cygport
package build and maintenance system, which takes a lot of the burden off the
rote tasks required of maintainers to update packages to newer versions.
Any package user may also do so by installing the cygport package and all its
toolchain dependencies, downloading the package sources, most of which contain a
<package>.cygport file, or cloning the package repo:
https://cygwin.com/git-cygwin-packages/?p=git/cygwin-packages/openssl.git;a=summary
to get the <package>.cygport file, change the package version within to the
latest, and within that directory run:
$ cygport <package>.cygport download all check
to download all source and patch files and build the package.
In some cases, you may need to install the package source to get the patch
sources if they have not been pushed to the package repo (as there is not really
much in the way of common policies or practices about that as yet), or search
and find the online locations of distros patches.
You may also have to tweak the <package>.cygport files to skip patches already
applied to the upstream package so redundant, tweak patches that are still
required but no longer apply without error, drop patches as the package has been
tweaked in some other way so they are no longer required, or make your own
patches to get the package to build under Cygwin.
You will also have to install the development versions of libraries required by
packages, often named lib/...-devel, and those available on Cygwin which support
additional functionality provided by the package, which may have to be
explicitly configured into the build specified in the <package>.cygport files.
Some background and help is available in the pages under Contributing on the
home page, in the archives of the cygwin-apps list, by searching online, and
asking on this list, if nothing else works.
TL;DR: About Distros, packages, Cygwin, volunteers
Most distros do not have the current versions of most packages in their stable
releases, as they have to do rebuilds of all dependent packages, and regression
tests of all the packages they are dependent on, apply patches for issues and
rerun regression tests for those, regardless of security issue severity and
urgency, even though they have many full time staff available to carry out the
processes.
For important packages, Cygwin maintainers often monitor the status of their
packages in other distros to see how stable new versions are, how many
regressions or issues have been found in testing, how many patches have been
applied, and their test status, as they are all volunteers working in their
spare time.
I know a number of Cygwin maintainers monitor the status and use many of the
patches applied to Fedora, as they have access to that due to their full time
day jobs at Redhat and/or personal use of those systems at home, and others may
also monitor and use patches from Debian, Gentoo, OpenSuSE, and other distros
with funded infrastructure processes, staff to perform extensive testing, and
develop their own patches for issues found testing on their distros.
One of the biggest issues in volunteer maintained distros like Cygwin is when
dependent packages have to be updated to allow an important package to be
updated, and some of those dependent packages have issues requiring a lot of
work to resolve to get them to build on Cygwin, sometimes requiring the
expertise of the official maintainer, who may not have much time available due
to real life issues.
--
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada
This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.
[Data in binary units and prefixes, physical quantities in SI.]
--
Problem reports: https://cygwin.com/problems.html
FAQ: https://cygwin.com/faq/
Documentation: https://cygwin.com/docs.html
Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
