[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Latest openssl 1.0.2 for Jessie backports

Am 2017-06-28 14:55, schrieb Jan Ingvoldstad:
On Wed, Jun 28, 2017 at 2:46 PM, Thorsten Glaser <t.glaser@tarent.de> wrote:
On Wed, 28 Jun 2017, Jan Ingvoldstad wrote:

As I understand it, backporting OpenSSL 1.1.0, which would seem to be
the alternative, has wider ranging consequences:

Backporting *any* OpenSSL has massive impact on anything using it
*and* massive security implications (as in, how fast can you provide
backported fixes?).

Wouldn't this argument apply equally to the linux-image packages,
which sometimes take weeks to come from Stretch to Jessie-backports?

The linux-image backports are done by the kernel maintainers themselves
though. Which doesn't appear to be the case here for OpenSSL.

(Also, the kernel has a much better track record of keeping
compatibility between releases than OpenSSL. Just look at how difficult
the OpenSSL 1.1 transition was on a _source_ level - and is actually
still ongoing. The kernel instead provides large _binary_ compatibility
guarantees. Not 100%, sure, but still quite impressive.)


Reply to: