| Message ID | 20260123123336.41126-1-peter.marko@siemens.com |
|---|---|
| Headers | show |
| Series | openssl: upgrade 3.2.6 -> 3.5.4 | expand |
Le ven. 23 janv. 2026 à 13:33, Peter Marko via lists.openembedded.org <peter.marko=siemens.com@lists.openembedded.org> a écrit : > Intention of this RFC is to run full autobuilder job matrix to see if > there are any failures not detected by my local testsuite. > I created a poky branch with this patch : https://git.yoctoproject.org/poky-contrib/log/?h=ycongal/scarthgap/openssl_3.5_upgrade (above my -nut branch to decrease the probability of an unrelated AB-INT failure) I've started the build : https://autobuilder.yoctoproject.org/valkyrie/?#/builders/29/builds/3118 > Topic for discussion is especially what should be the final form of this > upgrade as some users may want to stay on openssl 3.2.x originally > shipped with Yocto 5.0 Scarthgap. > Current form was chosen to easily review recipe/patch differences. > Is it fine to overwrite or do we need to keep both version and make one > the default and other optional? Which would be tested on AB? > > Peter Marko (1): > openssl: upgrade 3.2.6 -> 3.5.4 > > .../openssl/files/environment.d-openssl.sh | 9 ++- > ...ke-history-reporting-when-test-fails.patch | 19 +++-- > ...1-Configure-do-not-tweak-mips-cflags.patch | 4 +- > ...sysroot-and-debug-prefix-map-from-co.patch | 26 ++++--- > .../0001-extend-check_cwm-test-timeout.patch | 32 ++++++++ > .../openssl/openssl/CVE-2024-41996.patch | 44 ----------- > .../{openssl_3.2.6.bb => openssl_3.5.4.bb} | 76 +++++++++++++------ > 7 files changed, 116 insertions(+), 94 deletions(-) > create mode 100644 > meta/recipes-connectivity/openssl/openssl/0001-extend-check_cwm-test-timeout.patch > delete mode 100644 > meta/recipes-connectivity/openssl/openssl/CVE-2024-41996.patch > rename meta/recipes-connectivity/openssl/{openssl_3.2.6.bb => > openssl_3.5.4.bb} (75%) > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#229884): > https://lists.openembedded.org/g/openembedded-core/message/229884 > Mute This Topic: https://lists.openembedded.org/mt/117416674/4316185 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ > yoann.congal@smile.fr] > -=-=-=-=-=-=-=-=-=-=-=- > >
Le ven. 23 janv. 2026 à 18:02, Yoann Congal <yoann.congal@smile.fr> a écrit : > Le ven. 23 janv. 2026 à 13:33, Peter Marko via lists.openembedded.org > <peter.marko=siemens.com@lists.openembedded.org> a écrit : > >> Intention of this RFC is to run full autobuilder job matrix to see if >> there are any failures not detected by my local testsuite. >> > > I created a poky branch with this patch : > https://git.yoctoproject.org/poky-contrib/log/?h=ycongal/scarthgap/openssl_3.5_upgrade > (above my -nut branch to decrease the probability of an unrelated AB-INT > failure) > > I've started the build : > https://autobuilder.yoctoproject.org/valkyrie/?#/builders/29/builds/3118 > a-full build was successful: https://autobuilder.yoctoproject.org/valkyrie/?#/builders/29/builds/3118 > Topic for discussion is especially what should be the final form of this >> upgrade as some users may want to stay on openssl 3.2.x originally >> shipped with Yocto 5.0 Scarthgap. >> Current form was chosen to easily review recipe/patch differences. >> Is it fine to overwrite or do we need to keep both version and make one >> the default and other optional? Which would be tested on AB? >> >> Peter Marko (1): >> openssl: upgrade 3.2.6 -> 3.5.4 >> >> .../openssl/files/environment.d-openssl.sh | 9 ++- >> ...ke-history-reporting-when-test-fails.patch | 19 +++-- >> ...1-Configure-do-not-tweak-mips-cflags.patch | 4 +- >> ...sysroot-and-debug-prefix-map-from-co.patch | 26 ++++--- >> .../0001-extend-check_cwm-test-timeout.patch | 32 ++++++++ >> .../openssl/openssl/CVE-2024-41996.patch | 44 ----------- >> .../{openssl_3.2.6.bb => openssl_3.5.4.bb} | 76 +++++++++++++------ >> 7 files changed, 116 insertions(+), 94 deletions(-) >> create mode 100644 >> meta/recipes-connectivity/openssl/openssl/0001-extend-check_cwm-test-timeout.patch >> delete mode 100644 >> meta/recipes-connectivity/openssl/openssl/CVE-2024-41996.patch >> rename meta/recipes-connectivity/openssl/{openssl_3.2.6.bb => >> openssl_3.5.4.bb} (75%) >> >> >> -=-=-=-=-=-=-=-=-=-=-=- >> Links: You receive all messages sent to this group. >> View/Reply Online (#229884): >> https://lists.openembedded.org/g/openembedded-core/message/229884 >> Mute This Topic: https://lists.openembedded.org/mt/117416674/4316185 >> Group Owner: openembedded-core+owner@lists.openembedded.org >> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ >> yoann.congal@smile.fr] >> -=-=-=-=-=-=-=-=-=-=-=- >> >> > > -- > Yoann Congal > Smile ECS >
> -----Original Message----- > From: Yoann Congal <yoann.congal@smile.fr> > Sent: Saturday, January 24, 2026 11:30 > To: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com> > Cc: openembedded-core@lists.openembedded.org > Subject: Re: [OE-core][scarthgap][RFC PATCH 0/1] openssl: upgrade 3.2.6 -> > 3.5.4 > > > > I've started the build : > > https://autobuilder.yoctoproject.org/valkyrie/?#/builders/29/builds/3118 > > > > a-full build was successful: > https://autobuilder.yoctoproject.org/valkyrie/?#/builders/29/builds/3118 > Thanks a lot for running the build. Peter
Le ven. 23 janv. 2026 à 18:02, Yoann Congal <yoann.congal@smile.fr> a écrit : > Le ven. 23 janv. 2026 à 13:33, Peter Marko via lists.openembedded.org > <peter.marko=siemens.com@lists.openembedded.org> a écrit : > >> Intention of this RFC is to run full autobuilder job matrix to see if >> there are any failures not detected by my local testsuite. >> > > I created a poky branch with this patch : > https://git.yoctoproject.org/poky-contrib/log/?h=ycongal/scarthgap/openssl_3.5_upgrade > (above my -nut branch to decrease the probability of an unrelated AB-INT > failure) > > I've started the build : > https://autobuilder.yoctoproject.org/valkyrie/?#/builders/29/builds/3118 > Hello, As discussed during the tech call of last tuesday, I've started builds: * a new a-full with rebased branch on the latest scarthgap (now, the branch is only scarthgap+this upgrade) * https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/3133/ failed on a unrelated AB-INT issue (#15945) but is otherwise OK * a meta-oe build (which includes a world build for meta-oe, meta-python, meta-networking & meta-filesystems): * https://autobuilder.yoctoproject.org/valkyrie/#/builders/81/builds/1277 * *Failed on python3-m2crypto* (log.do_compile => https://gist.github.com/ycongal-smile/4c6501ecd81c9f475b793234cceb7a74) * to compare, I've started the same build with a vanilla scarthgap branch (without the openssl upgrade): * https://autobuilder.yoctoproject.org/valkyrie/#/builders/81/builds/1278 => success (albeit with warnings) Can you investigate this python3-m2crypto failure? Also, the "meta-oe" build does not cover every layer in meta-openembedded, I think I will increase coverage to all the meta-openembedded layers for the next run... Topic for discussion is especially what should be the final form of this >> upgrade as some users may want to stay on openssl 3.2.x originally >> shipped with Yocto 5.0 Scarthgap. >> Current form was chosen to easily review recipe/patch differences. >> Is it fine to overwrite or do we need to keep both version and make one >> the default and other optional? Which would be tested on AB? >> >> Peter Marko (1): >> openssl: upgrade 3.2.6 -> 3.5.4 >> >> .../openssl/files/environment.d-openssl.sh | 9 ++- >> ...ke-history-reporting-when-test-fails.patch | 19 +++-- >> ...1-Configure-do-not-tweak-mips-cflags.patch | 4 +- >> ...sysroot-and-debug-prefix-map-from-co.patch | 26 ++++--- >> .../0001-extend-check_cwm-test-timeout.patch | 32 ++++++++ >> .../openssl/openssl/CVE-2024-41996.patch | 44 ----------- >> .../{openssl_3.2.6.bb => openssl_3.5.4.bb} | 76 +++++++++++++------ >> 7 files changed, 116 insertions(+), 94 deletions(-) >> create mode 100644 >> meta/recipes-connectivity/openssl/openssl/0001-extend-check_cwm-test-timeout.patch >> delete mode 100644 >> meta/recipes-connectivity/openssl/openssl/CVE-2024-41996.patch >> rename meta/recipes-connectivity/openssl/{openssl_3.2.6.bb => >> openssl_3.5.4.bb} (75%) >> >> >> -=-=-=-=-=-=-=-=-=-=-=- >> Links: You receive all messages sent to this group. >> View/Reply Online (#229884): >> https://lists.openembedded.org/g/openembedded-core/message/229884 >> Mute This Topic: https://lists.openembedded.org/mt/117416674/4316185 >> Group Owner: openembedded-core+owner@lists.openembedded.org >> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ >> yoann.congal@smile.fr] >> -=-=-=-=-=-=-=-=-=-=-=- >> >> > > -- > Yoann Congal > Smile ECS >
I have checked the m2crypto build issue and found out that I had to fix this for newer Yocto releases already.
https://git.openembedded.org/meta-openembedded/commit/?id=f9158ce32fffa6f18eed4008c3295146c81d55ea
Applying this commit to scarthgap works, so I have submitted it.
https://lists.openembedded.org/g/openembedded-devel/message/124019
Peter
From: Yoann Congal <yoann.congal@smile.fr>
Sent: Wednesday, January 28, 2026 12:05
To: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com>
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [OE-core][scarthgap][RFC PATCH 0/1] openssl: upgrade 3.2.6 -> 3.5.4
Le ven. 23 janv. 2026 à 18:02, Yoann Congal <yoann.congal@smile.fr<mailto:yoann.congal@smile.fr>> a écrit :
Le ven. 23 janv. 2026 à 13:33, Peter Marko via lists.openembedded.org<http://lists.openembedded.org> <peter.marko=siemens.com@lists.openembedded.org<mailto:siemens.com@lists.openembedded.org>> a écrit :
Intention of this RFC is to run full autobuilder job matrix to see if
there are any failures not detected by my local testsuite.
I created a poky branch with this patch : https://git.yoctoproject.org/poky-contrib/log/?h=ycongal/scarthgap/openssl_3.5_upgrade
(above my -nut branch to decrease the probability of an unrelated AB-INT failure)
I've started the build : https://autobuilder.yoctoproject.org/valkyrie/?#/builders/29/builds/3118
Hello,
As discussed during the tech call of last tuesday, I've started builds:
* a new a-full with rebased branch on the latest scarthgap (now, the branch is only scarthgap+this upgrade)
* https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/3133/ failed on a unrelated AB-INT issue (#15945) but is otherwise OK
* a meta-oe build (which includes a world build for meta-oe, meta-python, meta-networking & meta-filesystems):
* https://autobuilder.yoctoproject.org/valkyrie/#/builders/81/builds/1277
* *Failed on python3-m2crypto* (log.do_compile => https://gist.github.com/ycongal-smile/4c6501ecd81c9f475b793234cceb7a74)
* to compare, I've started the same build with a vanilla scarthgap branch (without the openssl upgrade):
* https://autobuilder.yoctoproject.org/valkyrie/#/builders/81/builds/1278 => success (albeit with warnings)
Can you investigate this python3-m2crypto failure?
Also, the "meta-oe" build does not cover every layer in meta-openembedded, I think I will increase coverage to all the meta-openembedded layers for the next run...
Topic for discussion is especially what should be the final form of this
upgrade as some users may want to stay on openssl 3.2.x originally
shipped with Yocto 5.0 Scarthgap.
Current form was chosen to easily review recipe/patch differences.
Is it fine to overwrite or do we need to keep both version and make one
the default and other optional? Which would be tested on AB?
Peter Marko (1):
openssl: upgrade 3.2.6 -> 3.5.4
.../openssl/files/environment.d-openssl.sh<http://environment.d-openssl.sh> | 9 ++-
...ke-history-reporting-when-test-fails.patch | 19 +++--
...1-Configure-do-not-tweak-mips-cflags.patch | 4 +-
...sysroot-and-debug-prefix-map-from-co.patch | 26 ++++---
.../0001-extend-check_cwm-test-timeout.patch | 32 ++++++++
.../openssl/openssl/CVE-2024-41996.patch | 44 -----------
.../{openssl_3.2.6.bb<http://openssl_3.2.6.bb> => openssl_3.5.4.bb<http://openssl_3.5.4.bb>} | 76 +++++++++++++------
7 files changed, 116 insertions(+), 94 deletions(-)
create mode 100644 meta/recipes-connectivity/openssl/openssl/0001-extend-check_cwm-test-timeout.patch
delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-41996.patch
rename meta/recipes-connectivity/openssl/{openssl_3.2.6.bb<http://openssl_3.2.6.bb> => openssl_3.5.4.bb<http://openssl_3.5.4.bb>} (75%)
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#229884): https://lists.openembedded.org/g/openembedded-core/message/229884
Mute This Topic: https://lists.openembedded.org/mt/117416674/4316185
Group Owner: openembedded-core+owner@lists.openembedded.org<mailto:openembedded-core%2Bowner@lists.openembedded.org>
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [yoann.congal@smile.fr<mailto:yoann.congal@smile.fr>]
-=-=-=-=-=-=-=-=-=-=-=-
--
Yoann Congal
Smile ECS
--
Yoann Congal
Smile ECS
Le sam. 31 janv. 2026 à 19:47, Marko, Peter <Peter.Marko@siemens.com> a écrit : > I have checked the m2crypto build issue and found out that I had to fix > this for newer Yocto releases already. > > > https://git.openembedded.org/meta-openembedded/commit/?id=f9158ce32fffa6f18eed4008c3295146c81d55ea > > Applying this commit to scarthgap works, so I have submitted it. > > https://lists.openembedded.org/g/openembedded-devel/message/124019 > Thanks Peter, I've put that m2crypto patch on a branch and ran a full meta-openembedded world build (every layers under meta-openembedded) https://autobuilder.yoctoproject.org/valkyrie/?#/builders/81/builds/1285 => Only warnings (reference to TMPDIR [buildpaths]) that are most likely not related to the openssl upgrade > Peter > > > > *From:* Yoann Congal <yoann.congal@smile.fr> > *Sent:* Wednesday, January 28, 2026 12:05 > *To:* Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com> > *Cc:* openembedded-core@lists.openembedded.org > *Subject:* Re: [OE-core][scarthgap][RFC PATCH 0/1] openssl: upgrade 3.2.6 > -> 3.5.4 > > > > Le ven. 23 janv. 2026 à 18:02, Yoann Congal <yoann.congal@smile.fr> a > écrit : > > Le ven. 23 janv. 2026 à 13:33, Peter Marko via lists.openembedded.org > <peter.marko=siemens.com@lists.openembedded.org> a écrit : > > Intention of this RFC is to run full autobuilder job matrix to see if > there are any failures not detected by my local testsuite. > > > > I created a poky branch with this patch : > https://git.yoctoproject.org/poky-contrib/log/?h=ycongal/scarthgap/openssl_3.5_upgrade > > (above my -nut branch to decrease the probability of an unrelated AB-INT > failure) > > > > I've started the build : > https://autobuilder.yoctoproject.org/valkyrie/?#/builders/29/builds/3118 > > > > Hello, > > > > As discussed during the tech call of last tuesday, I've started builds: > > * a new a-full with rebased branch on the latest scarthgap (now, the > branch is only scarthgap+this upgrade) > > * > https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/3133/ > failed on a unrelated AB-INT issue (#15945) but is otherwise OK > > * a meta-oe build (which includes a world build for meta-oe, meta-python, > meta-networking & meta-filesystems): > > * > https://autobuilder.yoctoproject.org/valkyrie/#/builders/81/builds/1277 > > * *Failed on python3-m2crypto* (log.do_compile => > https://gist.github.com/ycongal-smile/4c6501ecd81c9f475b793234cceb7a74) > > * to compare, I've started the same build with a vanilla scarthgap branch > (without the openssl upgrade): > > * > https://autobuilder.yoctoproject.org/valkyrie/#/builders/81/builds/1278 > => success (albeit with warnings) > > > > Can you investigate this python3-m2crypto failure? > > > > Also, the "meta-oe" build does not cover every layer in meta-openembedded, > I think I will increase coverage to all the meta-openembedded layers for > the next run... > > > > > > Topic for discussion is especially what should be the final form of this > upgrade as some users may want to stay on openssl 3.2.x originally > shipped with Yocto 5.0 Scarthgap. > Current form was chosen to easily review recipe/patch differences. > Is it fine to overwrite or do we need to keep both version and make one > the default and other optional? Which would be tested on AB? > > Peter Marko (1): > openssl: upgrade 3.2.6 -> 3.5.4 > > .../openssl/files/environment.d-openssl.sh | 9 ++- > ...ke-history-reporting-when-test-fails.patch | 19 +++-- > ...1-Configure-do-not-tweak-mips-cflags.patch | 4 +- > ...sysroot-and-debug-prefix-map-from-co.patch | 26 ++++--- > .../0001-extend-check_cwm-test-timeout.patch | 32 ++++++++ > .../openssl/openssl/CVE-2024-41996.patch | 44 ----------- > .../{openssl_3.2.6.bb => openssl_3.5.4.bb} | 76 +++++++++++++------ > 7 files changed, 116 insertions(+), 94 deletions(-) > create mode 100644 > meta/recipes-connectivity/openssl/openssl/0001-extend-check_cwm-test-timeout.patch > delete mode 100644 > meta/recipes-connectivity/openssl/openssl/CVE-2024-41996.patch > rename meta/recipes-connectivity/openssl/{openssl_3.2.6.bb => > openssl_3.5.4.bb} (75%) > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#229884): > https://lists.openembedded.org/g/openembedded-core/message/229884 > Mute This Topic: https://lists.openembedded.org/mt/117416674/4316185 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ > yoann.congal@smile.fr] > -=-=-=-=-=-=-=-=-=-=-=- > > > > -- > > Yoann Congal > > Smile ECS > > > > -- > > Yoann Congal > > Smile ECS >
Intention of this RFC is to run full autobuilder job matrix to see if there are any failures not detected by my local testsuite. Topic for discussion is especially what should be the final form of this upgrade as some users may want to stay on openssl 3.2.x originally shipped with Yocto 5.0 Scarthgap. Current form was chosen to easily review recipe/patch differences. Is it fine to overwrite or do we need to keep both version and make one the default and other optional? Which would be tested on AB? Peter Marko (1): openssl: upgrade 3.2.6 -> 3.5.4 .../openssl/files/environment.d-openssl.sh | 9 ++- ...ke-history-reporting-when-test-fails.patch | 19 +++-- ...1-Configure-do-not-tweak-mips-cflags.patch | 4 +- ...sysroot-and-debug-prefix-map-from-co.patch | 26 ++++--- .../0001-extend-check_cwm-test-timeout.patch | 32 ++++++++ .../openssl/openssl/CVE-2024-41996.patch | 44 ----------- .../{openssl_3.2.6.bb => openssl_3.5.4.bb} | 76 +++++++++++++------ 7 files changed, 116 insertions(+), 94 deletions(-) create mode 100644 meta/recipes-connectivity/openssl/openssl/0001-extend-check_cwm-test-timeout.patch delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-41996.patch rename meta/recipes-connectivity/openssl/{openssl_3.2.6.bb => openssl_3.5.4.bb} (75%)