Cyrus-sasl-2.1.29 release #762
Comments
|
master is work on cyrus-sasl 2.2, there is no timeline on that release. We are discussing a 2.1.29 release purely for ensuring openssl 3 compatibility as OpenSSL 1.1.1 series is being retired by the OpenSSL project. |
|
Thank you 👍 |
For testing, last version updates when it is release time Signed-off-by: Quanah Gibson-Mount <[email protected]>
|
When will the release happen? All milestone issues are done. |
DIGEST-MD5 needs removal since there's no way to support it with OpenSSL3. |
|
Really? The MD5 implementation in 2.1 is the internal one. RC4 was removed. That leaves us with DES and 3DES. For DES, one has to use the legacy provider but I think you can certainly use 3DES. |
|
For a stable version update, mechanism removal is a bit tough for my taste. |
|
I see: The des.h functions are deprecated. Would it be an alternative to port to evp.h? |
|
We didn't feel like any porting effort was justified for something we're about to delete. Also DIGEST-MD5 has been "historical" for over 10 years, and any sites using it can just as easily use SCRAM instead. |
|
If the OpenSSL installation does not have DES_cbc_encrypt the DIGEST-MD5 will still compile but without any available method. I think this is good enough and it will not break on modern configurations. In this problem space, e4a9a7e would be a much better backport candidate because srp compilation is broken on OpenSSL without legacy APIs. |
|
Not sure what the point of including it is then, if it has no security layer. Better to just remove it so admins have to recognize that they need to choose a new mech. |
|
The point of including is that OpenSSL 3.0 can be configured to retain the legacy APIs and in Debian, it will be like that for the forseeable future. I do not think I am going to upgrade Debian's cyrus-sasl2 to 2.1.29 if DIGEST-MD5 will be dropped. In that case I am going to wait with an update to 2.2 (most likely after the next Debian release trixie). Everyone who wants to get rid of the mechanism can do so by disabling it. |
|
The only purpose for 2.1.29 at this time is for a release that can use OpenSSL 3.0 when there deprecated APIs are not enabled. No distro should be updating to 2.1.29. |
|
Several distributions have backported the master branch OpenSSL 3 changes to version 2.1.27 and 2.1.28. |
Several distributions took changes from a PR that was not accepted upstream and added them to their builds without consultation with the cyrus-sasl development team. |
This thread....
|
|
Please enlighten me, but the only thing I hear being mentioned is the ciphers needed for confidentiality/integrity support (security layers), but all the So if we pull support for |
|
Those security layers are enabled by default. Most installations using DIGEST-MD5 expect them to be there. Turning them off usually means the mech is ineligible for use (based on configured secprops) and so the mech would effectively disappear/be disabled anyway. What's the point of keeping it then? |
|
Except that's the only thing we can't actually deliver any more. Those connections you're talking about would be coming in over plaintext for |
|
We (Symas) are having a conference call next week on Monday at 4:30pm GMT to discuss how to proceed. Anyone with an interest in the question can join in using the call-in numbers listed here https://www.symas.com/about-symas to reach extension 76029, no PIN. |
Thanks @hyc . To be clear and open. On Solaris 11.4 SRU, where As such Solaris can skip 2.1.29 (as suggested by @quanah) and look |
|
The outcome of that call has not been noted here. Might be worth giving an outline at least? |
TODO: Fix warnings due to using deprecate functions by cyrus-sasl: ``` digestmd5.c:894:5: warning: ‘DES_ede3_cbc_encrypt’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] ``` See _cyrusimap/cyrus-sasl#762
TODO: Fix warnings due to using deprecate functions by cyrus-sasl: ``` digestmd5.c:894:5: warning: ‘DES_ede3_cbc_encrypt’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] ``` See _cyrusimap/cyrus-sasl#762
TODO: Fix warnings due to using deprecate functions by cyrus-sasl: ``` digestmd5.c:894:5: warning: ‘DES_ede3_cbc_encrypt’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] ``` See _cyrusimap/cyrus-sasl#762
TODO: Fix warnings due to using deprecate functions by cyrus-sasl: ``` digestmd5.c:894:5: warning: ‘DES_ede3_cbc_encrypt’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] ``` See _cyrusimap/cyrus-sasl#762
|
There is still no indication what the outcome of the mentioned call was. From other communication I presume something along the lines that there will be no more releases in the 2.1 stream, instead aiming to release 2.2 at some point. |
|
Why this ticket has been closed if still thee is no new release? 🤔 |
|
There will be no new releases of the 2.1 series. This ticket was about 2.1.29, there won't be one. |
|
Dear all, Latest Cyrus-SASL is 2.1.28 (2022-02-22), soon 3 years. Can you go here for talk about a new version before Debian 13 freeze soon? Next Debian 14 will be in 2027: Thanks in advance. |
|
@Neustradamus please stop commenting on every bug report you find, @ mentioning the world etc. It is only going to be seen as spam as countless other projects have told you already and taken together it can be seen as harassment. This is a community project maintained on a volunteer basis, if you want things done (sooner) you have two options: you can step in and help make it happen or you can hire someone to work on whatever you consider a priority. Right now you are doing neither, on the contrary, your endless stream of comments on random (and mostly closed?) tickets without even engaging in a discussion is taking away from, not contributing to, this project. Consider this your final warning: if you continue this behaviour, you will be blocked. |
cyrus-sasl-2.1.28...master shows +190 commits since last release which was +year ago.
Any plans to release new version? 🤔
The text was updated successfully, but these errors were encountered: