[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Latest openssl 1.0.2 for Jessie backports

On Wed, Jun 28, 2017 at 2:46 PM, Thorsten Glaser <t.glaser@tarent.de> wrote:
> On Wed, 28 Jun 2017, Jan Ingvoldstad wrote:
>
>> As I understand it, backporting OpenSSL 1.1.0, which would seem to be
>> the alternative, has wider ranging consequences:
>
> Backporting *any* OpenSSL has massive impact on anything using it
> *and* massive security implications (as in, how fast can you provide
> backported fixes?).

Wouldn't this argument apply equally to the linux-image packages,
which sometimes take weeks to come from Stretch to Jessie-backports?

>
> Furthermore, it also impacts others’ backports. Maintainers know how
> to patch their applications for the OpenSSL from stable and testing,
> but to introduce something else into the mix…?

This would also apply to the linux-image packages.

>
> With a high-profile package like OpenSSL, I’d personally like to see
> no backport at all, but in any case not without the maintainer (in
> sid) agreeing, due to the dangers involved.

This would also apply to the linux-image packages.
-- 
Jan
Reply to: