Add CRuby security-fix releases 3.0.7, 3.1.5, 3.2.4, and 3.3.1 #2370
Conversation
|
Thanks @kpfleming @hsbt! I have a short question - why are we going with OpenSSL 3.1.4 here specifically, instead of 3.1.5, or the newer 3.2 or 3.3 families? https://www.openssl.org/source/ lists 3.3.0 as the newest version, released ~2 weeks ago, with 3.1.5 released this january |
|
Because ruby-build/script/update-cruby Line 28 in 346c0dc ruby-build/share/ruby-build/3.3.0 Line 1 in 346c0dc In general OpenSSL versions are updated in their own PR (and there is https://github.com/rbenv/ruby-build/blob/master/script/update-openssl) |
|
IOW, please make a PR if you'd like to update openssl ;) |
|
@eregon Got it, thanks! I'm not sure though which version to go with, is it safe to go all the way to 3.3.0 from 3.1.4, or just 3.1.5? I'm not familiar with the versioning policies and compatibility of OpenSSL |
|
@colszowka Thanks for pinging about this. I'm making a PR to upgrade to openssl 3.1.5.
We could also update our Ruby build formulae to depend on OpenSSL 3.2 or 3.3, but since we've been depending on OpenSSL 3.1.x for a while now and since that branch is still maintained by the OpenSSL team, my vote is to stick with the 3.1.x branch for as long as it's maintained or until there is a concrete need to upgrade to OpenSSL 3.2/3.3, e.g. to gain access to a newer feature. |
https://www.ruby-lang.org/en/news/2024/04/23/ruby-3-0-7-released/
https://www.ruby-lang.org/en/news/2024/04/23/ruby-3-1-5-released/
https://www.ruby-lang.org/en/news/2024/04/23/ruby-3-2-4-released/
https://www.ruby-lang.org/en/news/2024/04/23/ruby-3-3-1-released/