[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Latest openssl 1.0.2 for Jessie backports

On Wed, 28 Jun 2017, Vincent Bernat wrote:

>  ❦ 28 juin 2017 19:03 +0200, Micha Lenk <micha@debian.org> :
> >> Backporting *any* OpenSSL has massive impact on anything using it
> >> *and* massive security implications (as in, how fast can you provide
> >> backported fixes?).
> >>
> >> Furthermore, it also impacts others’ backports. Maintainers know how
> >> to patch their applications for the OpenSSL from stable and testing,
> >> but to introduce something else into the mix…?
> >>
> >> With a high-profile package like OpenSSL, I’d personally like to see
> >> no backport at all, but in any case not without the maintainer (in
> >> sid) agreeing, due to the dangers involved.
> >
> > Does this mean we should better remove OpenSSL 1.0.2 from
> > jessie-backports?
> Absolutely not. There are users of this package. We rely on it to
> provide more recent features to users wanting them (for example, ALPN,
> the version in Jessie only supports NPN which is deprecated). For
> example, both HAProxy and nginx are using this packages for their own
> backports.
> AFAIK, there was no complaint on this package. Updating it to the
> version actually in stretch seems a good idea. Not allowing it because
> the source package was renamed seems a bit far-fetched.
I rejected it because I didn't detected that it got renamed.

Thats the point of talking about such things before uploading. 


Attachment: signature.asc
Description: PGP signature

Reply to: