duckdb_iceberg icon indicating copy to clipboard operation
duckdb_iceberg copied to clipboard
verified publisher icon duckdb

Upgrade openssl version

Open dentiny opened this issue 3 months ago • 5 comments

Hi team, I'm suffering link error when compiling the extension. (I feel weird, since vcpkg is supposed to be hermetic from my understanding.)

Error message:

[ 90%] Building CXX object extension/parquet/CMakeFiles/parquet_loadable_extension.dir/parquet_timestamp.cpp.o 
/usr/bin/ld: ../../vcpkg_installed/arm64-linux/lib/libs2n.a(s2n_hash.c.o): in function s2n_evp_hash_digest': s2n_hash.c:(.text+0x1128): undefined reference to EVP_MD_CTX_get_size_ex' 
collect2: error: ld returned 1 exit status gmake[3]: *** [tools/shell/CMakeFiles/shell.dir/build.make:232: duckdb] 
Error 1 gmake[2]: *** [CMakeFiles/Makefile2:9789: tools/shell/CMakeFiles/shell.dir/all] 
Error 2 gmake[2]: *** Waiting for unfinished jobs....

The command I'm using

 VCPKG_TOOLCHAIN_PATH='/tmp/vcpkg/scripts/buildsystems/vcpkg.cmake' make reldebug -j 10

I checked the symbol, seems it exists for higher version of openssl

# Check local openssl symbol
vscode ➜ /tmp/duckdb_iceberg (hjiang/upgrade-openssl) $ pkg-config --modversion openssl 2>/dev/null || echo "no pkg-config"
3.5.1
vscode ➜ /tmp/duckdb_iceberg (hjiang/upgrade-openssl) $ nm -D /usr/lib/*/libcrypto.so* | grep -E 'EVP_MD_CTX_get_size_ex' || true
0000000000223fa4 T EVP_MD_CTX_get_size_ex@@OPENSSL_3.4.0
0000000000223fa4 T EVP_MD_CTX_get_size_ex@@OPENSSL_3.4.0

I tried to upgrade openssl to a higher version, which works on my end. Let me know if you think it's a valid change, thank you!

dentiny avatar Sep 11 '25 05:09 dentiny

Thanks! Looks like 3.5.0 is the latest available version? At least according to the CI failures

Tmonster avatar Sep 11 '25 07:09 Tmonster

Added @samansmink as reviewer, in general it's not OK to bump openssl versions, expecially this close to a release (where there is less time to check this has not unintended consequences)

carlopi avatar Sep 11 '25 08:09 carlopi

Added @samansmink as reviewer, in general it's not OK to bump openssl versions, expecially this close to a release (where there is less time to check this has not unintended consequences)

I'm definitely OK to pause here and wait for a while :)

dentiny avatar Sep 11 '25 08:09 dentiny

Thanks! Looks like 3.5.0 is the latest available version? At least according to the CI failures

3.5.2 is the latest "stable" release version: https://github.com/openssl/openssl/releases

dentiny avatar Sep 11 '25 09:09 dentiny

Yea bumping openssl is a bit of a pain. I tried a while back but basically whatever version i picked resulted in CI failing somewhere. Like carlo said, lets not do this right before a release, but we can definitely look into picking a more recent one.

Before v1.5 we should look into bumping vcpkg and openssl duckdb-wide i'd say

samansmink avatar Sep 11 '25 09:09 samansmink