❦ 28 juin 2017 19:03 +0200, Micha Lenk <micha@debian.org> :
>> Backporting *any* OpenSSL has massive impact on anything using it
>> *and* massive security implications (as in, how fast can you provide
>> backported fixes?).
>>
>> Furthermore, it also impacts others’ backports. Maintainers know how
>> to patch their applications for the OpenSSL from stable and testing,
>> but to introduce something else into the mix…?
>>
>> With a high-profile package like OpenSSL, I’d personally like to see
>> no backport at all, but in any case not without the maintainer (in
>> sid) agreeing, due to the dangers involved.
>
> Does this mean we should better remove OpenSSL 1.0.2 from
> jessie-backports?
Absolutely not. There are users of this package. We rely on it to
provide more recent features to users wanting them (for example, ALPN,
the version in Jessie only supports NPN which is deprecated). For
example, both HAProxy and nginx are using this packages for their own
backports.
AFAIK, there was no complaint on this package. Updating it to the
version actually in stretch seems a good idea. Not allowing it because
the source package was renamed seems a bit far-fetched.
--
Say what you mean, simply and directly.
- The Elements of Programming Style (Kernighan & Plauger)
Attachment:
signature.asc
Description: PGP signature