On Wed, 28 Jun 2017, Vincent Bernat wrote: > ❦ 28 juin 2017 19:03 +0200, Micha Lenk <micha@debian.org> : > > >> Backporting *any* OpenSSL has massive impact on anything using it > >> *and* massive security implications (as in, how fast can you provide > >> backported fixes?). > >> > >> Furthermore, it also impacts others’ backports. Maintainers know how > >> to patch their applications for the OpenSSL from stable and testing, > >> but to introduce something else into the mix…? > >> > >> With a high-profile package like OpenSSL, I’d personally like to see > >> no backport at all, but in any case not without the maintainer (in > >> sid) agreeing, due to the dangers involved. > > > > Does this mean we should better remove OpenSSL 1.0.2 from > > jessie-backports? > > Absolutely not. There are users of this package. We rely on it to > provide more recent features to users wanting them (for example, ALPN, > the version in Jessie only supports NPN which is deprecated). For > example, both HAProxy and nginx are using this packages for their own > backports. > > AFAIK, there was no complaint on this package. Updating it to the > version actually in stretch seems a good idea. Not allowing it because > the source package was renamed seems a bit far-fetched. I rejected it because I didn't detected that it got renamed. Thats the point of talking about such things before uploading. Alex
Attachment:
signature.asc
Description: PGP signature