Re: libressl in Buster?

To: debian-user@lists.debian.org
Subject: Re: libressl in Buster?
From: Reco <recoverym4n@enotuniq.net>
Date: Mon, 5 Nov 2018 09:51:34 +0300
Message-id: <[🔎] E1gJYjX-0005yl-77@enotuniq.net>
In-reply-to: <[🔎] b0cbb5fb-c169-6600-c091-cdaf46cf0788@afaics.de>
References: <[🔎] 64f9e1e1-ece9-6cc2-4803-dd2c50ee60ca@afaics.de> <[🔎] E1gIEhf-0005hF-Tu@enotuniq.net> <[🔎] 8d0770da-b9db-2054-a5a3-61f8e5ef15e1@afaics.de> <[🔎] E1gIy4P-0007qj-F4@enotuniq.net> <[🔎] b0cbb5fb-c169-6600-c091-cdaf46cf0788@afaics.de>

	Hi.

On Mon, Nov 05, 2018 at 06:18:00AM +0100, Harald Dunkel wrote:
> On 11/3/18 4:42 PM, Reco wrote:
> > 	Hi.
> > 
> > On Sat, Nov 03, 2018 at 03:37:06PM +0100, Harald Dunkel wrote:
> >>
> >> I don't see a short release cycle as a bad feature. Its a sign of
> >> active and agile development.
> > 
> > And in Debian stable that also means that it's close to impossible to
> > backport security fixes to chosen version (because it's "too old").
> > Updating such fundamental library can (and probably *will*) lead to
> > API/ABI breakage. While tolerable at sid/testing, such things are
> > frowned upon at stable.
> 
> Thats a home-made problem affecting many packages in Debian, RedHat EL,
> and others.

Yet that's a price they agree to pay for a predictable software
behaviour during a lifecycle of a single major release.
And that's IBM EL now. RedHat's selling out.


> >> Openssl has a bad reputation for introducing security problems,
> >> partly due to its complex and "dangerous code", which was the
> >> major reason for the fork.
> >> https://en.wikipedia.org/wiki/LibreSSL#History
> > 
> > As long as it's used - they will search for vulnerabilities in there.
> > And they will find them. PHP has even worse reputation in this regard,
> > for example, yet you still see people who are using PHP.
> 
> Thats the point. AFAICT there are many alternatives to php. Its upstream's
> job to decide which scripting language to chose.

But there are no alternatives to PHP that match it's (possibly passing)
popularity.


> Debian can chose to include the source packages (php or the tools
> using it) into the distro.

Likewise we have two alternatives to openssl in Debian right now. Gnutls
and NSS. Unlike LibreSSL, they produce stable versions.


> For opensmtpd (the package I am interested in) upstream has decided to
> ditch openssl in favor of libressl. Now Debian has several options in this
> case:
> 
> - add libressl to Debian
> - stick to the old opensmtpd 6.0.3 and openssl and backport security fixes
> - modify opensmtpd 6.4 to make it work with openssl
> - drop opensmtpd

I add fifth. Embed libressl into Debian package of opensmtpd.
It's happened before.

Reco

Reply to:

References:
- libressl in Buster?
  - From: Harald Dunkel <harri@afaics.de>
- Re: libressl in Buster?
  - From: Reco <recoverym4n@enotuniq.net>
- Re: libressl in Buster?
  - From: Harald Dunkel <harri@afaics.de>
- Re: libressl in Buster?
  - From: Reco <recoverym4n@enotuniq.net>
- Re: libressl in Buster?
  - From: Harald Dunkel <harri@afaics.de>

Prev by Date: Re: libressl in Buster?
Next by Date: Re: Recommendation on partition sizes
Previous by thread: Re: libressl in Buster?
Next by thread: Re: libressl in Buster?
Index(es):
- Date
- Thread