Re: Please consider backporting openssl 1.0.2 to jessie
On Wed, 25 May 2016, Michael Gebetsroither wrote:
> On 2016-05-14 17:53, Zack Weinberg wrote:
>
> > Please consider backporting openssl 1.0.2 to jessie. I know this is a
> > difficult and labor-intensive package -- it should not be backported
> > if there isn't manpower to keep up with security patches -- but it's
> > badly needed for webservers, as only this version supports ALPN, which
> > is now a prerequisite for http/2.0 with Chrome/ium; it was already
> > necessary for IE, and Firefox is likely to follow suit in the near
> > future. See https://blog.chromium.org/2016/02/transitioning-from-spdy-to-http2.html
> > for more details.
>
> Yes, please consider backporting openssl 1.0.2 for ALPN support in jessie.
> Without it there is no http/2 for jessie as browsers require ALPN for it.
>
> Backporting only ALPN doesn't seem like a good idea:
> https://git.openssl.org/gitweb/?p=openssl.git&a=search&h=HEAD&st=commit&s=ALPN
Given the impact of a breakage I don't think a backport of libssl is a good
idea. At least not unless the official maintainer teams thinks it is a good
idea AND maintains the backports AND commits in doing any security updates as
fast as in unstable.
Alex
Reply to: