On Wed, 28 Jun 2017, Jan Ingvoldstad wrote:
As I understand it, backporting OpenSSL 1.1.0, which would seem to be
the alternative, has wider ranging consequences:
Backporting *any* OpenSSL has massive impact on anything using it
*and* massive security implications (as in, how fast can you provide
backported fixes?).
Furthermore, it also impacts others’ backports. Maintainers know how
to patch their applications for the OpenSSL from stable and testing,
but to introduce something else into the mix…?
With a high-profile package like OpenSSL, I’d personally like to see
no backport at all, but in any case not without the maintainer (in
sid) agreeing, due to the dangers involved.