Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wLFK5-001eLF-2J for pgsql-hackers@arkaria.postgresql.org; Fri, 08 May 2026 07:08:34 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1wLFK2-008P0K-2F for pgsql-hackers@arkaria.postgresql.org; Fri, 08 May 2026 07:08:30 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wLFK2-008P0C-0s for pgsql-hackers@lists.postgresql.org; Fri, 08 May 2026 07:08:30 +0000 Received: from smtp.outgoing.loopia.se ([93.188.3.37]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.98.2) (envelope-from ) id 1wLFJy-00000000ld5-1iYl for pgsql-hackers@lists.postgresql.org; Fri, 08 May 2026 07:08:29 +0000 Received: from s807.loopia.se (localhost [127.0.0.1]) by s807.loopia.se (Postfix) with ESMTP id 3FA1B5BDEF1 for ; Fri, 08 May 2026 09:07:54 +0200 (CEST) Received: from s980.loopia.se (unknown [172.22.191.6]) by s807.loopia.se (Postfix) with ESMTP id 2ECE15BD209; Fri, 08 May 2026 09:07:54 +0200 (CEST) Received: from localhost (unknown [172.22.191.6]) by s980.loopia.se (Postfix) with ESMTP id 2A5BE2201658; Fri, 08 May 2026 09:07:54 +0200 (CEST) X-Virus-Scanned: amavis at amavis.loopia.se X-Spam-Flag: NO X-Spam-Score: -1.2 X-Spam-Level: X-Spam-Status: No, score=-1.2 tagged_above=-999 required=6.2 tests=[ALL_TRUSTED=-1, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1] autolearn=disabled Authentication-Results: s473.loopia.se (amavis); dkim=pass (2048-bit key) header.d=yesql.se Received: from s981.loopia.se ([172.22.191.5]) by localhost (s473.loopia.se [172.22.190.13]) (amavis, port 10024) with LMTP id Cypd6UZcudHj; Fri, 8 May 2026 09:07:51 +0200 (CEST) X-Loopia-Auth: user X-Loopia-User: daniel@yesql.se X-Loopia-Originating-IP: 89.255.232.236 Received: from smtpclient.apple (customer-89-255-232-236.stosn.net [89.255.232.236]) (Authenticated sender: daniel@yesql.se) by s981.loopia.se (Postfix) with ESMTPSA id 601B422B160D; Fri, 08 May 2026 09:07:51 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yesql.se; s=loopiadkim1707475645; t=1778224071; bh=ybTJkIXtF0G1sW5PWzhBZxk1pWgqUIfau2Dg8TxewqU=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=oD9fclPbbr9K6k/DByA4QmhICkSFbkMOvveYHIJLxkkIpdyiF7k0Hx8hPC95UdPWS WeVmJ+xJPEhw9vXCSmgFfZW5wji7lwVSX+Py0VTpKL0hhtPw62ddK0vdHuLxiri4UA pyBB0B6jMZbH/ys0Xid5VO14kZMVJy7FukH6X6oLKe0EzzwDVZRnzCaqrFEjtCHsxw jugTfgC62CnsqC6UdiCVdMTjYSrHyQsBoBotyh+SfPsCH23zcH+c8WYX0MGX9xBxXe /dFb9PDEQilkNNGPudMPjNy1b/FTQO7bxLVeKuRFvP3by2cdjlSSvqfi7ih4T9O6JC 7s90OwWd1dbfA== Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3776.700.51.11.2\)) Subject: Re: PostgreSQL and OpenSSL 4.0.0 From: Daniel Gustafsson In-Reply-To: <898414.1778192534@sss.pgh.pa.us> Date: Fri, 8 May 2026 09:07:41 +0200 Cc: Michael Paquier , PostgreSQL-development Content-Transfer-Encoding: quoted-printable Message-Id: <1A5104C0-E9EF-4D90-9627-23D3D909104B@yesql.se> References: <066B07BB-85FA-487C-BE8C-40F791CFC3C4@yesql.se> <65C5DC15-DE27-4D36-8AEE-A854C23B3834@yesql.se> <898414.1778192534@sss.pgh.pa.us> To: Tom Lane X-Mailer: Apple Mail (2.3776.700.51.11.2) List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk > On 8 May 2026, at 00:22, Tom Lane wrote: >=20 > Michael Paquier writes: >> On Thu, May 07, 2026 at 03:44:45PM +0200, Daniel Gustafsson wrote: >>> For 14 through master the attached compiles without warnings and = tests green on >>> all the supported versions of OpenSSL and LibreSSL. That being = said, I'm not >>> sure that we want to go all the way to 14 since if something does = break, we >>> can't really go around fixing it - I think amending the docs in 14 = stating that >>> OpenSSL 3.6 is the highest supported version is a better solution. >=20 >> One issue with this approach is that any builds on these branches = (say >> REL_14_STABLE + OpenSSL 1.0.1) would be forced to either upgrade >> OpenSSL to at least 3.6 for a minor Postgres update or give up on any >> fix we can put on the 14 stable branch for six more months. None of >> these solutions are cool. Not sure I follow, anyone still building with a X years out of support = OpenSSL will most likely keep doing so regardless of what CVE's are published. = It could of course make backpatching trickier if thats what you mean? > With one eye on the calendar, I think the right way to proceed is to > push this to all branches (including 14) soon after next week's > releases. I feel this is too high-risk to shove in just before a > release, but shortly after one is ideal since we'll have 3 months to > find out any problems. >=20 > I would support omitting 14 if we were down to just one remaining > release for it, but we'll have 2 (August and November). So there > will still be an opportunity to fix things if there's an issue > that manages to escape notice until after the August releases. Doh.. thanks. I was off-by-one and convinced myself we only have one = more minor on 14. With two more scheduled I agree that we should go for = OpenSSL 4 support in 14 as well. I'll re-test and prep all the branches with all = the version of OpenSSL so that I can get this in shortly after the next = weeks releases go out. -- Daniel Gustafsson