Re: OpenSSL 1.1.0

[Pau Garcia i Quiles <pgquiles@elpauer.org>]

On Wed, Jun 29, 2016 at 9:49 PM, Moritz Mühlenhoff <jmm@inutil.org> wrote:

Jérémy Lal <kapouer@melix.org> wrote
> The openssl release strategy page [1] states:
> Version 1.1.0 will be supported until 2018-04-30.
> Version 1.0.2 will be supported until 2019-12-31 (LTS).
>
> Considering the dates, upstream authors using openssl 1.0.2 might not
> migrate to the new api until 1.0.2 end of life.
> Is it reasonnable, for security and human resources sake, to carry hundreds
> of patches for a transition that will happen much more safely and naturally
> later ?

Certainly. 1.1 brings a lot of internal changes which will be beneficial in
the long run. And of course's there a wide range of 1.1 features which will b
e important during the lifetime of stretch (e.g. chacha20/poly1305 support).

I beg to disagree.

IMHO the mandatory migration to OpenSSL 1.1.0 is happening too soon.

Most upstreams have do not support 1.1.0 yet, and have no plans to support it in months. This will force Debian maintaners to rewrite OpenSSL code, which is a very sensitive part and may turn an (upstream) secure application into an insecure application due to incorrect patches.

If possible, I would rather have both 1.0.2 and 1.1.0 in the archive, and move to 1.1.0 as upstream moves. I do not feel comfortable at all touching security-related stuff, it's not my specialty. Even less if we are talking about OpenSSL, known not to be the most friendly and intuitive APIs.

--

Pau Garcia i Quiles
http://www.elpauer.org