Hi all!
While the official builds for PHP 8.2 already use OpenSSL 3.0, the PHP
8.1 builds are still using OpenSSL 1.1.1. However, OpenSSL 1.1.1 is
only supported till 2023-09-11[1], while PHP 8.1 is supported till
2024-11-25[2]. Although I don't like bumping the OpenSSL version in the
middle of PHP 8.1's lifetime, I suppose it is necessary to avoid falling
behind security support. And if we do that bump, we better do it sooner
than later.
So, if there are no unforeseen problems, I suggest to build PHP
8.1.16RC1 with OpenSSL 3.0 (PHP 8.1.15RC1 has already been built with
OpenSSL 1.1.1).
Thoughts? Objections?
[1] https://www.openssl.org/policies/releasestrat.html
[2] https://www.php.net/supported-versions.php
--
Christoph M. Becker
+1, we don't want to bundle and maintain and monkey-patch 1.1.1
ourselves for 14.4 months,
which I guess would be the alternative.
Hi all!
While the official builds for PHP 8.2 already use OpenSSL 3.0, the PHP
8.1 builds are still using OpenSSL 1.1.1. However, OpenSSL 1.1.1 is
only supported till 2023-09-11[1], while PHP 8.1 is supported till
2024-11-25[2]. Although I don't like bumping the OpenSSL version in the
middle of PHP 8.1's lifetime, I suppose it is necessary to avoid falling
behind security support. And if we do that bump, we better do it sooner
than later.So, if there are no unforeseen problems, I suggest to build PHP
8.1.16RC1 with OpenSSL 3.0 (PHP 8.1.15RC1 has already been built with
OpenSSL 1.1.1).Thoughts? Objections?
[1] https://www.openssl.org/policies/releasestrat.html
[2] https://www.php.net/supported-versions.php--
Christoph M. Becker--
To unsubscribe, visit: https://www.php.net/unsub.php
"Christoph M. Becker" in php.internals (Wed, 18 Jan 2023 13:20:41 +0100):
Hi all!
While the official builds for PHP 8.2 already use OpenSSL 3.0, the PHP
8.1 builds are still using OpenSSL 1.1.1. However, OpenSSL 1.1.1 is
only supported till 2023-09-11[1], while PHP 8.1 is supported till
2024-11-25[2]. Although I don't like bumping the OpenSSL version in the
middle of PHP 8.1's lifetime, I suppose it is necessary to avoid falling
behind security support. And if we do that bump, we better do it sooner
than later.So, if there are no unforeseen problems, I suggest to build PHP
8.1.16RC1 with OpenSSL 3.0 (PHP 8.1.15RC1 has already been built with
OpenSSL 1.1.1).
I do not mind, but I just noticed that even the official PHP 8.1.19 RC1
still ships with OpenSSL 1.1.1. What is the status?
Jan
Hi Christoph,
"Christoph M. Becker" in php.internals (Wed, 18 Jan 2023 13:20:41 +0100):
While the official builds for PHP 8.2 already use OpenSSL 3.0, the PHP
8.1 builds are still using OpenSSL 1.1.1. However, OpenSSL 1.1.1 is
only supported till 2023-09-11[1], while PHP 8.1 is supported till
2024-11-25[2]. Although I don't like bumping the OpenSSL version in the
middle of PHP 8.1's lifetime, I suppose it is necessary to avoid falling
behind security support. And if we do that bump, we better do it sooner
than later.So, if there are no unforeseen problems, I suggest to build PHP
8.1.16RC1 with OpenSSL 3.0 (PHP 8.1.15RC1 has already been built with
OpenSSL 1.1.1).Thoughts? Objections?
[1] https://www.openssl.org/policies/releasestrat.html
[2] https://www.php.net/supported-versions.php
I noticed that PHP 8.1.20 at https://windows.php.net/download/ was built
with OpenSSL 1.1.1t and PHP 8.2.7 & 8.3.0 Alpha 1 with OpenSSL 3.0.8. What
will be the official policy for 8.1, 8.2 and 8.3? All 3 versions with
OpenSSL 3.0.x or 8.1 still with OpenSSL 1.1.1? And none of the three
versions with OpenSSL 3.1.x? Please clarify.
Jan
Hi Christoph,
"Christoph M. Becker" in php.internals (Wed, 18 Jan 2023 13:20:41 +0100):
While the official builds for PHP 8.2 already use OpenSSL 3.0, the PHP
8.1 builds are still using OpenSSL 1.1.1. However, OpenSSL 1.1.1 is
only supported till 2023-09-11[1], while PHP 8.1 is supported till
2024-11-25[2]. Although I don't like bumping the OpenSSL version in the
middle of PHP 8.1's lifetime, I suppose it is necessary to avoid falling
behind security support. And if we do that bump, we better do it sooner
than later.So, if there are no unforeseen problems, I suggest to build PHP
8.1.16RC1 with OpenSSL 3.0 (PHP 8.1.15RC1 has already been built with
OpenSSL 1.1.1).Thoughts? Objections?
[1] https://www.openssl.org/policies/releasestrat.html
[2] https://www.php.net/supported-versions.phpI noticed that PHP 8.1.20 at https://windows.php.net/download/ was built
with OpenSSL 1.1.1t and PHP 8.2.7 & 8.3.0 Alpha 1 with OpenSSL 3.0.8. What
will be the official policy for 8.1, 8.2 and 8.3? All 3 versions with
OpenSSL 3.0.x or 8.1 still with OpenSSL 1.1.1? And none of the three
versions with OpenSSL 3.1.x? Please clarify.
What’s the process for changing this? Do release managers need to change the way we bundle the packages, or does something need to be merged into the PHP-8.1 branch?
Cheers,
Ben
Hi Christoph,
"Christoph M. Becker" in php.internals (Wed, 18 Jan 2023 13:20:41 +0100):
While the official builds for PHP 8.2 already use OpenSSL 3.0, the PHP
8.1 builds are still using OpenSSL 1.1.1. However, OpenSSL 1.1.1 is
only supported till 2023-09-11[1], while PHP 8.1 is supported till
2024-11-25[2]. Although I don't like bumping the OpenSSL version in the
middle of PHP 8.1's lifetime, I suppose it is necessary to avoid falling
behind security support. And if we do that bump, we better do it sooner
than later.So, if there are no unforeseen problems, I suggest to build PHP
8.1.16RC1 with OpenSSL 3.0 (PHP 8.1.15RC1 has already been built with
OpenSSL 1.1.1).Thoughts? Objections?
[1] https://www.openssl.org/policies/releasestrat.html
[2] https://www.php.net/supported-versions.phpI noticed that PHP 8.1.20 at https://windows.php.net/download/ was built
with OpenSSL 1.1.1t and PHP 8.2.7 & 8.3.0 Alpha 1 with OpenSSL 3.0.8. What
will be the official policy for 8.1, 8.2 and 8.3? All 3 versions with
OpenSSL 3.0.x or 8.1 still with OpenSSL 1.1.1? And none of the three
versions with OpenSSL 3.1.x? Please clarify.What’s the process for changing this? Do release managers need to change the way we bundle the packages, or does something need to be merged into the PHP-8.1 branch?
Does anyone know the answer to this question?
Cheers,
Ben
Hi Christoph,
"Christoph M. Becker" in php.internals (Wed, 18 Jan 2023 13:20:41 +0100):
While the official builds for PHP 8.2 already use OpenSSL 3.0, the PHP
8.1 builds are still using OpenSSL 1.1.1. However, OpenSSL 1.1.1 is
only supported till 2023-09-11[1], while PHP 8.1 is supported till
2024-11-25[2]. Although I don't like bumping the OpenSSL version in the
middle of PHP 8.1's lifetime, I suppose it is necessary to avoid falling
behind security support. And if we do that bump, we better do it sooner
than later.So, if there are no unforeseen problems, I suggest to build PHP
8.1.16RC1 with OpenSSL 3.0 (PHP 8.1.15RC1 has already been built with
OpenSSL 1.1.1).Thoughts? Objections?
[1] https://www.openssl.org/policies/releasestrat.html
[2] https://www.php.net/supported-versions.phpI noticed that PHP 8.1.20 at https://windows.php.net/download/ was built
with OpenSSL 1.1.1t and PHP 8.2.7 & 8.3.0 Alpha 1 with OpenSSL 3.0.8. What
will be the official policy for 8.1, 8.2 and 8.3? All 3 versions with
OpenSSL 3.0.x or 8.1 still with OpenSSL 1.1.1? And none of the three
versions with OpenSSL 3.1.x? Please clarify.What’s the process for changing this? Do release managers need to change the way we bundle the packages, or does something need to be merged into the PHP-8.1 branch?
I've still not heard anything back regarding this.
Is there anything the release managers need to do, or is this an issue
specifically for the Windows builds?
If it's for the Windows builds only, how can we help facilitate this change?
Cheers,
Ben