[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Latest openssl 1.0.2 for Jessie backports

Hi Thorsten,

On 06/28/2017 02:46 PM, Thorsten Glaser wrote:
On Wed, 28 Jun 2017, Jan Ingvoldstad wrote:

As I understand it, backporting OpenSSL 1.1.0, which would seem to be
the alternative, has wider ranging consequences:

Backporting *any* OpenSSL has massive impact on anything using it
*and* massive security implications (as in, how fast can you provide
backported fixes?).

Furthermore, it also impacts others’ backports. Maintainers know how
to patch their applications for the OpenSSL from stable and testing,
but to introduce something else into the mix…?

With a high-profile package like OpenSSL, I’d personally like to see
no backport at all, but in any case not without the maintainer (in
sid) agreeing, due to the dangers involved.

Does this mean we should better remove OpenSSL 1.0.2 from jessie-backports?



Reply to: