TL;DR: About Distros, packages, Cygwin, volunteers

Brian Inglis Brian.Inglis@SystematicSw.ab.ca
Tue Jan 5 04:44:01 GMT 2021


On 2021-01-04 21:37, Brian Inglis wrote:
> On 2021-01-04 08:11, Marco Atzeri via Cygwin wrote:
>> On 04.01.2021 13:21, tommie.king@alverservices.com wrote:
>>> But im struggling to see how I can upgrade openssl >1.1.1f
>>> Compliance checks state that we must have a more up to date version, I know
>>> that it exists (1.1.1g, 1.1.1h, 1.1.1i)
>>
>> https://cygwin.com/packages/summary/openssl.html
>>
>> the last one available on cygwin is 1.1.1f
>>
>>> But I can only seem to upgrade to 1.1.1f in Cygwin  - is there a new upgrade
>>> package for Cygwin/Openssl coming in the near future?
>>
>> It will depends on the maintainer (Corinna) availability.
>> Maybe after the holiday season
> 
> What are your compliance timing constraints in terms of releases and time?
> I see Cygwin openssl is now 3 versions and 9 months behind the latest.
> 
> If you have a compliance timing issue, your organization will have to take 
> responsibility for meeting your compliance needs, either by having staff or 
> contracting others to meet those needs, by building packages more up to date 
> than those available from the distros you use.
> 
> All recent, and certainly all important, Cygwin packages use the common cygport 
> package build and maintenance system, which takes a lot of the burden off the 
> rote tasks required of maintainers to update packages to newer versions.
> Any package user may also do so by installing the cygport package and all its 
> toolchain dependencies, downloading the package sources, most of which contain a 
> <package>.cygport file, or cloning the package repo:
> 
> https://cygwin.com/git-cygwin-packages/?p=git/cygwin-packages/openssl.git;a=summary
> 
> to get the <package>.cygport file, change the package version within to the 
> latest, and within that directory run:
> 
>      $ cygport <package>.cygport download all check
> 
> to download all source and patch files and build the package.
> 
> In some cases, you may need to install the package source to get the patch 
> sources if they have not been pushed to the package repo (as there is not really 
> much in the way of common policies or practices about that as yet), or search 
> and find the online locations of distros patches.
> 
> You may also have to tweak the <package>.cygport files to skip patches already 
> applied to the upstream package so redundant, tweak patches that are still 
> required but no longer apply without error, drop patches as the package has been 
> tweaked in some other way so they are no longer required, or make your own 
> patches to get the package to build under Cygwin.
> 
> You will also have to install the development versions of libraries required by 
> packages, often named lib/...-devel, and those available on Cygwin which support 
> additional functionality provided by the package, which may have to be 
> explicitly configured into the build specified in the <package>.cygport files.
> 
> Some background and help is available in the pages under Contributing on the 
> home page, in the archives of the cygwin-apps list, by searching online, and 
> asking on this list, if nothing else works.

TL;DR: About Distros, packages, Cygwin, volunteers

Most distros do not have the current versions of most packages in their stable 
releases, as they have to do rebuilds of all dependent packages, and regression 
tests of all the packages they are dependent on, apply patches for issues and 
rerun regression tests for those, regardless of security issue severity and 
urgency, even though they have many full time staff available to carry out the 
processes.

For important packages, Cygwin maintainers often monitor the status of their 
packages in other distros to see how stable new versions are, how many 
regressions or issues have been found in testing, how many patches have been 
applied, and their test status, as they are all volunteers working in their 
spare time.

I know a number of Cygwin maintainers monitor the status and use many of the 
patches applied to Fedora, as they have access to that due to their full time 
day jobs at Redhat and/or personal use of those systems at home, and others may 
also monitor and use patches from Debian, Gentoo, OpenSuSE, and other distros 
with funded infrastructure processes, staff to perform extensive testing, and 
develop their own patches for issues found testing on their distros.

One of the biggest issues in volunteer maintained distros like Cygwin is when 
dependent packages have to be updated to allow an important package to be 
updated, and some of those dependent packages have issues requiring a lot of 
work to resolve to get them to build on Cygwin, sometimes requiring the 
expertise of the official maintainer, who may not have much time available due 
to real life issues.

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.
[Data in binary units and prefixes, physical quantities in SI.]


More information about the Cygwin mailing list