Обсуждение: El Capitan Removes OpenSSL Headers
Hackers, Looks like Mac OS X 10.11 El Capitan has remove the OpenSSL header files. They recommend building your own or using nativeOS X SDKs, like Secure Transport: http://lists.apple.com/archives/macnetworkprog/2015/Jun/msg00025.html I don’t suppose anyone has looked at what it would take to get PostgreSQL use Secure Transport, right? Here are the docs: https://developer.apple.com/library/ios/documentation/Security/Reference/secureTransportRef/index.html If it’s not feasible, those of use who need SSL connections on OS X will just have to build OpenSSL ourselves (or installfrom Homebrew or MacPorts). David
"David E. Wheeler" <david@justatheory.com> writes: > Looks like Mac OS X 10.11 El Capitan has remove the OpenSSL header files. They recommend building your own or using nativeOS X SDKs, like Secure Transport: > http://lists.apple.com/archives/macnetworkprog/2015/Jun/msg00025.html That's annoying. > I don’t suppose anyone has looked at what it would take to get PostgreSQL use Secure Transport, right? This is going to put a bit more urgency into the project Heikki had been working on to allow use of more than one SSL implementation. I can't really see us back-porting that, though, which is going to leave things in a fairly nasty place for all pre-9.6 branches ... regards, tom lane
On Tue, Dec 1, 2015 at 2:56 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote: > "David E. Wheeler" <david@justatheory.com> writes: >> Looks like Mac OS X 10.11 El Capitan has remove the OpenSSL header files. They recommend building your own or using nativeOS X SDKs, like Secure Transport: >> http://lists.apple.com/archives/macnetworkprog/2015/Jun/msg00025.html > > That's annoying. > >> I don’t suppose anyone has looked at what it would take to get PostgreSQL use Secure Transport, right? > > This is going to put a bit more urgency into the project Heikki had been > working on to allow use of more than one SSL implementation. I can't > really see us back-porting that, though, which is going to leave things > in a fairly nasty place for all pre-9.6 branches ... I think it'd be great to finish that project, but having to use MacPorts to install the headers isn't really a big deal, is it? -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
Robert Haas <robertmhaas@gmail.com> writes:
> On Tue, Dec 1, 2015 at 2:56 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
>> "David E. Wheeler" <david@justatheory.com> writes:
>>> I don’t suppose anyone has looked at what it would take to get PostgreSQL use Secure Transport, right?
>> This is going to put a bit more urgency into the project Heikki had been
>> working on to allow use of more than one SSL implementation. I can't
>> really see us back-porting that, though, which is going to leave things
>> in a fairly nasty place for all pre-9.6 branches ...
> I think it'd be great to finish that project, but having to use
> MacPorts to install the headers isn't really a big deal, is it?
Well, you'd have to use MacPorts' version of the openssl libraries,
too, since there'd be no certainty that their headers match the
Apple-provided libraries (in fact, I'd bet a lot that they don't).
This would be a pain if you wanted to put your compiled PG executables
on some other Mac.
regards, tom lane
On Tue, Dec 1, 2015 at 9:14 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
Robert Haas <robertmhaas@gmail.com> writes:
> On Tue, Dec 1, 2015 at 2:56 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
>> "David E. Wheeler" <david@justatheory.com> writes:
>>> I don’t suppose anyone has looked at what it would take to get PostgreSQL use Secure Transport, right?
>> This is going to put a bit more urgency into the project Heikki had been
>> working on to allow use of more than one SSL implementation. I can't
>> really see us back-porting that, though, which is going to leave things
>> in a fairly nasty place for all pre-9.6 branches ...
> I think it'd be great to finish that project, but having to use
> MacPorts to install the headers isn't really a big deal, is it?
Well, you'd have to use MacPorts' version of the openssl libraries,
too, since there'd be no certainty that their headers match the
Apple-provided libraries (in fact, I'd bet a lot that they don't).
This would be a pain if you wanted to put your compiled PG executables
on some other Mac.
Presumably the folks who build Postgres.app and the EDB installers will take care of that for the big majority of people though, won't they?
I agree it's something we should fix, but I'm not sure it's that urgent. It's no different from what Windows people have been dealing with all along, is it? And while it affects pg developers, I doubt it'll hit that many users?
On Tue, Dec 1, 2015 at 3:14 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote: > Robert Haas <robertmhaas@gmail.com> writes: >> On Tue, Dec 1, 2015 at 2:56 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote: >>> "David E. Wheeler" <david@justatheory.com> writes: >>>> I don’t suppose anyone has looked at what it would take to get PostgreSQL use Secure Transport, right? > >>> This is going to put a bit more urgency into the project Heikki had been >>> working on to allow use of more than one SSL implementation. I can't >>> really see us back-porting that, though, which is going to leave things >>> in a fairly nasty place for all pre-9.6 branches ... > >> I think it'd be great to finish that project, but having to use >> MacPorts to install the headers isn't really a big deal, is it? > > Well, you'd have to use MacPorts' version of the openssl libraries, > too, since there'd be no certainty that their headers match the > Apple-provided libraries (in fact, I'd bet a lot that they don't). > This would be a pain if you wanted to put your compiled PG executables > on some other Mac. Yeah, I guess it means that people building for MacOS X will probably have to ship OpenSSL as a dependency, which also means that they will need to update it when new versions are released. That is already a pretty obnoxious disease on Windows, and it's unfortunate to see it spreading. It would save us a good deal of staff time here at EnterpriseDB if we didn't have to do new releases of everything on Windows every time there is an OpenSSL update. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
On Tue, Dec 1, 2015 at 03:35:39PM -0500, Robert Haas wrote: > > Well, you'd have to use MacPorts' version of the openssl libraries, > > too, since there'd be no certainty that their headers match the > > Apple-provided libraries (in fact, I'd bet a lot that they don't). > > This would be a pain if you wanted to put your compiled PG executables > > on some other Mac. > > Yeah, I guess it means that people building for MacOS X will probably > have to ship OpenSSL as a dependency, which also means that they will > need to update it when new versions are released. That is already a > pretty obnoxious disease on Windows, and it's unfortunate to see it > spreading. It would save us a good deal of staff time here at > EnterpriseDB if we didn't have to do new releases of everything on > Windows every time there is an OpenSSL update. Do we still have licensing issues if we ship Postgres and OpenSSL together? -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + As you are, so once was I. As I am, so you will be. + + Roman grave inscription +
Bruce Momjian wrote: > Do we still have licensing issues if we ship Postgres and OpenSSL > together? See https://www.postgresql.org/message-id/20150801151410.GA28344%40awork2.anarazel.de -- Álvaro Herrera http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
On Tue, Dec 1, 2015 at 06:40:09PM -0300, Alvaro Herrera wrote: > Bruce Momjian wrote: > > > Do we still have licensing issues if we ship Postgres and OpenSSL > > together? > > See > https://www.postgresql.org/message-id/20150801151410.GA28344%40awork2.anarazel.de True, but the current license is unchanged and has the advertising clause, which I think we have to honor if we ship OpenSSL: https://www.openssl.org/source/license.html I assume Windows has to ship OpenSSL with the installer and has to abide by this, for example. OSX might have to do the same. It might be good to see what we do for Windows packages. -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + As you are, so once was I. As I am, so you will be. + + Roman grave inscription +
On Tue, Dec 1, 2015 at 9:55 PM, Bruce Momjian <bruce@momjian.us> wrote: > On Tue, Dec 1, 2015 at 06:40:09PM -0300, Alvaro Herrera wrote: >> Bruce Momjian wrote: >> >> > Do we still have licensing issues if we ship Postgres and OpenSSL >> > together? >> >> See >> https://www.postgresql.org/message-id/20150801151410.GA28344%40awork2.anarazel.de > > True, but the current license is unchanged and has the advertising > clause, which I think we have to honor if we ship OpenSSL: > > https://www.openssl.org/source/license.html > > I assume Windows has to ship OpenSSL with the installer and has to abide > by this, for example. OSX might have to do the same. It might be good > to see what we do for Windows packages. We already do it for all our installers - Windows, OSX and Linux. We have to, otherwise we wouldn't be able to ensure the same binaries would run on all the different supported versions. -- Dave Page Blog: http://pgsnake.blogspot.com Twitter: @pgsnake EnterpriseDB UK: http://www.enterprisedb.com The Enterprise PostgreSQL Company
On Wed, Dec 2, 2015 at 08:53:07AM +0000, Dave Page wrote: > On Tue, Dec 1, 2015 at 9:55 PM, Bruce Momjian <bruce@momjian.us> wrote: > > On Tue, Dec 1, 2015 at 06:40:09PM -0300, Alvaro Herrera wrote: > >> Bruce Momjian wrote: > >> > >> > Do we still have licensing issues if we ship Postgres and OpenSSL > >> > together? > >> > >> See > >> https://www.postgresql.org/message-id/20150801151410.GA28344%40awork2.anarazel.de > > > > True, but the current license is unchanged and has the advertising > > clause, which I think we have to honor if we ship OpenSSL: > > > > https://www.openssl.org/source/license.html > > > > I assume Windows has to ship OpenSSL with the installer and has to abide > > by this, for example. OSX might have to do the same. It might be good > > to see what we do for Windows packages. > > We already do it for all our installers - Windows, OSX and Linux. We > have to, otherwise we wouldn't be able to ensure the same binaries > would run on all the different supported versions. OK, good. So the Mac installers would have to do the same thing if they also start shipping OpenSSL too. -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + As you are, so once was I. As I am, so you will be. + + Roman grave inscription +
On Wed, Dec 2, 2015 at 1:06 PM, Bruce Momjian <bruce@momjian.us> wrote: > On Wed, Dec 2, 2015 at 08:53:07AM +0000, Dave Page wrote: >> On Tue, Dec 1, 2015 at 9:55 PM, Bruce Momjian <bruce@momjian.us> wrote: >> > On Tue, Dec 1, 2015 at 06:40:09PM -0300, Alvaro Herrera wrote: >> >> Bruce Momjian wrote: >> >> >> >> > Do we still have licensing issues if we ship Postgres and OpenSSL >> >> > together? >> >> >> >> See >> >> https://www.postgresql.org/message-id/20150801151410.GA28344%40awork2.anarazel.de >> > >> > True, but the current license is unchanged and has the advertising >> > clause, which I think we have to honor if we ship OpenSSL: >> > >> > https://www.openssl.org/source/license.html >> > >> > I assume Windows has to ship OpenSSL with the installer and has to abide >> > by this, for example. OSX might have to do the same. It might be good >> > to see what we do for Windows packages. >> >> We already do it for all our installers - Windows, OSX and Linux. We >> have to, otherwise we wouldn't be able to ensure the same binaries >> would run on all the different supported versions. > > OK, good. So the Mac installers would have to do the same thing if they > also start shipping OpenSSL too. OSX == Mac. -- Dave Page Blog: http://pgsnake.blogspot.com Twitter: @pgsnake EnterpriseDB UK: http://www.enterprisedb.com The Enterprise PostgreSQL Company