> On Jun 13, 2023, at 15:06, Jan Ehrhardt <php...@ehrhardt.nl> wrote: > > Hi Christoph, > > "Christoph M. Becker" in php.internals (Wed, 18 Jan 2023 13:20:41 +0100): >> While the official builds for PHP 8.2 already use OpenSSL 3.0, the PHP >> 8.1 builds are still using OpenSSL 1.1.1. However, OpenSSL 1.1.1 is >> only supported till 2023-09-11[1], while PHP 8.1 is supported till >> 2024-11-25[2]. Although I don't like bumping the OpenSSL version in the >> middle of PHP 8.1's lifetime, I suppose it is necessary to avoid falling >> behind security support. And if we do that bump, we better do it sooner >> than later. >> >> So, if there are no unforeseen problems, I suggest to build PHP >> 8.1.16RC1 with OpenSSL 3.0 (PHP 8.1.15RC1 has already been built with >> OpenSSL 1.1.1). >> >> Thoughts? Objections? >> >> [1] <https://www.openssl.org/policies/releasestrat.html> >> [2] <https://www.php.net/supported-versions.php> > > I noticed that PHP 8.1.20 at https://windows.php.net/download/ was built > with OpenSSL 1.1.1t and PHP 8.2.7 & 8.3.0 Alpha 1 with OpenSSL 3.0.8. What > will be the official policy for 8.1, 8.2 and 8.3? All 3 versions with > OpenSSL 3.0.x or 8.1 still with OpenSSL 1.1.1? And none of the three > versions with OpenSSL 3.1.x? Please clarify.
What’s the process for changing this? Do release managers need to change the way we bundle the packages, or does something need to be merged into the PHP-8.1 branch? Cheers, Ben
signature.asc
Description: Message signed with OpenPGP
