-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove support for openssl older than 1.1.1 #1397
base: master
Are you sure you want to change the base?
Conversation
6f1eb2b
to
5e66652
Compare
The action
failed, but didn't in my own repo. I suspect this test is flaky. Can a maintainer re-trigger it? |
5e66652
to
ec31a96
Compare
Thank you for the contribution @jonesmz ! I feel like this needs some discussion. As someone who rewrote a bunch of ssl related code recently I can totally relate. But also, we have no idea if people are still building coturn for that older version. What I suggest is that we keep this PR until we tag a new version (4.6.3) which would be last one to support openssl <1.1.1 and then merge this PR (for next version 4.7.0). What do you think? |
I mean ultimately it's not my call, so whatever you think is best. I'm not sure that the criteria should involve whether people still use the old version of OpenSSL. Regardless of any other thing involved in a support decision, ultimately the deciding factor is whether the people who maintain the project are willing to continue supporting a version, not whether anyone is using the old version. OpenSSL <1.1.1 have a much different API than 1.1.1 and newer, (as evidenced by by this patch). The amount of extra work to support this is noticeable. My team at work has put in a disproportionate amount of time, compared to the total, stumbling over the details of the old OpenSSL code, and my team's time is a finite resource, so I want to eliminate the bottleneck as soon as practical. My work also has contracts that forbid us from deploying versions of OpenSSL that are out of support (so OpenSSL 1.1.1 and older), so my boss will give me flack if I put any time into continuing to support it. I don't have to go purge it, but I'm not excited about having to explain why I'm submitting PR's that adjust OpenSSL 1.0.1 code, even if it's a tiny amount of time relative to the rest of the changes. I wont get in trouble or anything, just eyebrow raises. As for the philosophical questions regarding "should support" or "should use" and so on, I think it's pretty unlikely that someone is simultaneously:
You say in this comment on another PR ( OpenSSL ) that Ubuntu 16.04 is kept in the C.I. specifically for testing against older OpenSSL versions. But the tests (the few that coturn has) don't all run on ubuntu 16.04. Most of them do, but not everything.
I think the benefits of dropping OpenSSL <1.1.1 outweigh the negatives by a large amount, personally.
If that's how you want to do it then that's fine. If you want to do that, I would prefer that 4.6.3 be tagged soon (next week or two, if that's doable?), so that I can make new PRs that build off of this one soon. I recommend:
But just removing OpenSSL <1.1.1 is sufficient for my needs regardless of my recommendations. |
ec31a96
to
4d32823
Compare
To follow |
fd54b33
to
a0749d7
Compare
6adbea1
to
a5c3428
Compare
1bb4fd5
to
88fdb02
Compare
Hi @eakraly it's been about 6 months since we discussed tagging a new version, and then merging this change. Is that still the plan? |
88fdb02
to
f7074a4
Compare
Openssl 1.1.1 is end-of-life in September 2023.
This PR removes support for versions of openssl OLDER than 1.1.1
1.1.1 should still be usable after this change is merged.
I don't see any value in supporting 1.1.1, but didn't see a reason to purge support for 1.1.1 when there are so few checks for >= 3.0.
Note that this does also remove CI support for Ubuntu 16.04. The official version of OpenSSL from Ubuntu for this release is listed here: https://launchpad.net/ubuntu/+source/openssl as 1.0.2g
Since no newer releases of coturn will be backported by Canonical to Ubuntu 16.04, anyone using Coturn on this operating system will have to download and compile it themselves. They may build their own version of OpenSSL if they somehow cannot upgrade to a newer version of Ubuntu.
My position is that these users should prefer to upgrade to a newer operating system than worry about chasing newer releases of Coturn.