Am 2017-06-28 14:55, schrieb Jan Ingvoldstad:
On Wed, Jun 28, 2017 at 2:46 PM, Thorsten Glaser <t.glaser@tarent.de> wrote:On Wed, 28 Jun 2017, Jan Ingvoldstad wrote:As I understand it, backporting OpenSSL 1.1.0, which would seem to be the alternative, has wider ranging consequences:Backporting *any* OpenSSL has massive impact on anything using it *and* massive security implications (as in, how fast can you provide backported fixes?).Wouldn't this argument apply equally to the linux-image packages, which sometimes take weeks to come from Stretch to Jessie-backports?
The linux-image backports are done by the kernel maintainers themselves though. Which doesn't appear to be the case here for OpenSSL. (Also, the kernel has a much better track record of keeping compatibility between releases than OpenSSL. Just look at how difficult the OpenSSL 1.1 transition was on a _source_ level - and is actually still ongoing. The kernel instead provides large _binary_ compatibility guarantees. Not 100%, sure, but still quite impressive.) Regards, Christian