Remove OpenSSL 1.0

[fxcoudert]

OpenSSL 1.0 will reach EOL on 2019-12-31

• See OpenSSL 1.0 removal #46454 for the work that happened before this
• A lot of formulas were updated, or in some cases patched, in order to make them compatible with OpenSSL 1.1
• virtuoso is the last remaining one, it's not in a good shape, and has medium-low install count (17 installs per month) virtuoso-opensource: build against openssl 1.1.0 openlink/virtuoso-opensource#583 (comment)

Will only test this PR once #46875 is merged

[fxcoudert]

Question for fellow @Homebrew/core maintainers: do we wait to remove it at the last minute (on 2019-12-31)?

I say let's do it now, to avoid accidental reuse (like we recently merged 3 new formulas with openssl dependency, without noticing)

[fxcoudert]

@BrewTestBot test this please

[Bo98]

As a FYI: the latest Debian (experimental) patch is https://sources.debian.org/data/main/v/virtuoso-opensource/7.2.5.1+dfsg-2/debian/patches/ssl1.1.patch

[fxcoudert]

@Bo98 I'm happy with a Debian patch if it applies cleanly. Could you open a PR?

[MikeMcQuaid]

@Bo98 and can you ensure the Debian patch was submitted upstream and add a comment to the upstream submission? Thanks ❤️

[Bo98]

@fxcoudert I'll test it out shortly.

@MikeMcQuaid Debian say they forwarded it via openlink/virtuoso-opensource#583, but that's not strictly true since there's small differences. I will look and see what those differences are and mention it in a comment upstream.

[Bo98]

I have left a review upstream noting the differences. See the linked pull request above for that.

I've applied the patches to Homebrew and opened a pull request at #46885.

[chenrui333]

👍 💯

[Bo98]

Interesting pgloader test issue spotted:

==> /usr/local/Cellar/pgloader/3.6.1/bin/pgloader /private/tmp/pgloader-test-201

Type HELP for debugger help, or (SB-EXT:EXIT) to exit from SBCL.

restarts (invokable by number or by possibly-abbreviated name):
  0: [CONTINUE       ] Skip this shared object and continue.
  1: [RETRY          ] Retry loading this shared object.
  2: [CHANGE-PATHNAME] Specify a different pathname to load the shared object from.
  3: [ABORT          ] Exit from the current thread.

(SB-SYS:DLOPEN-OR-LOSE #S(SB-ALIEN::SHARED-OBJECT :PATHNAME #P"/usr/local/opt/openssl/lib/libcrypto.dylib" :NAMESTRING "/usr/local/opt/openssl/lib/libcrypto.dylib" :HANDLE NIL :DONT-SAVE NIL))
0] ABORT
Last 15 lines from /Users/bo/Library/Logs/Homebrew/pgloader/test.03.pgloader:
2019-11-19 01:49:46 +0000

/usr/local/Cellar/pgloader/3.6.1/bin/pgloader
/private/tmp/pgloader-test-20191119-31326-2cy68d/test.load


debugger invoked on a SIMPLE-ERROR in thread
#<THREAD "main thread" RUNNING {10005885B3}>:
  Error opening shared object "/usr/local/opt/openssl/lib/libcrypto.dylib":
  dlopen(/usr/local/opt/openssl/lib/libcrypto.dylib, 10): image not found.

[fxcoudert]

Rebased to remove the Virtuoso changes, thanks to the excellent work of @Bo98

@Bo98 where did you spot that pgloader issue?

[MikeMcQuaid]

I have left a review upstream noting the differences. See the linked pull request above for that.

I've applied the patches to Homebrew and opened a pull request at #46885.

Perfect, thanks!

[Bo98]

@fxcoudert Initially in the CI in the PostgreSQL 12.1 pull request, but I’ve reproduced it locally as well (without any changes).

[Bo98]

Fix here: #46909.

[Bo98]

One possibility to throw on the table, if developers still potentially needing this is a concern, is to move it to openssl@1.0 for its remaining days.

[Bo98]

🍾

Time to brew uninstall openssl if you haven't already.

[michaelblyons]

Time to brew uninstall openssl if you haven't already.

I get something like this:

$ brew uninstall openssl
Error: Refusing to uninstall /usr/local/Cellar/openssl/1.0.2t
because it is required by cairo, gnupg, ..., and wget, which are currently installed.
You can override this and force removal with:
  brew uninstall --ignore-dependencies openssl

Interestingly, wget claims not to need it:

$ brew deps wget
gettext
libidn2
libunistring
openssl@1.1

Is there a reason I get the warning?

[Bo98]

Yes, you aren't alone: https://discourse.brew.sh/t/installed-formulae-depend-on-openssl-diverging-from-spec-dependency-on-openssl-1-1/6294/2

brew reinstall on those formula will fix it - but clearly you shouldn't need to.

@MikeMcQuaid Any thoughts on this issue?

[MikeMcQuaid]

Is there a reason I get the warning?

Yes, those applications are linked against openssl and you should reinstall them. brew deps --installed wget may show the right versions here.

[MikeMcQuaid]

In short: dependencies declared in a formula may not match those after installation (which are based on the actual linkage which may vary depending on the build system of the application and annoying opportunistic linkage).

[MikeMcQuaid]

Instead of brew deps for this particular case you may find brew linkage wget etc. more illuminating.

[dgholz]

Hello, I've got a need for openssl at version 1.0 (rebuilding binaries from historical sources). It would be nice to have the formula still available even past its end-of-life, even if no other formulae require it.

[fxcoudert]

@dgholz We're definitely not shipping unmaintained software (https://docs.brew.sh/Acceptable-Formulae), especially one that known for its security risks. But due to the modular nature of Homebrew, it's very easy to maintain a formula in your own tap: https://docs.brew.sh/How-to-Create-and-Maintain-a-Tap (and you can even provide bottles for it!)

[MikeMcQuaid]

@dgholz brew extract should make this very easy for you to do.

[dgholz]

Thanks, running brew new-tap dgholz/old-openssl <repo> & then brew extract --version=1.0.2t openssl dgholz/old-openssl lets me keep my crusty old builds going.

[MikeMcQuaid]

The supported way to still use OpenSSL 1.0 is to use brew extract. brew installing from a URL is insecure and will break.