OpenSSL releases and port updates frequency

[lstipakov]

Hello,

We at OpenVPN use vcpkg as a package manager for our Windows software. Among other ports, we use OpenSSL. Once in a while OpenSSL makes releases with high severity fixes, like yesterday's 1.1.1n release (https://www.openssl.org/news/vulnerabilities.html#CVE-2022-0778). So far OpenSSL port hasn't been updated in vcpkg.

I wonder how fast vcpkg does update critical ports like OpenSSL? If this is the matter of hours or max day, we could probably stick to ports from official repo, otherwise we would have to use port overlays which we would update ourselves (which we did for the next upcoming release). If there are other vendors here which use vcpkg and depend on OpenSSL - how do you deal which this kind of situations?

[Osyotr]

There's already a PR for this: #23589. IME, average PR lifetime before merge is a couple of days, provided there are no regressions in CI.
Of course, if you want updates ASAP you should use overlay ports or custom registries.