[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: OpenSSL 1.1.0

Pau Garcia i Quiles <pgquiles@elpauer.org> writes:

> Most upstreams have do not support 1.1.0 yet, and have no plans to
> support it in months. This will force Debian maintaners to rewrite
> OpenSSL code, which is a very sensitive part and may turn an (upstream)
> secure application into an insecure application due to incorrect
> patches.

Yeah, Shibboleth upstream had a similar reaction to the ones reported
here: they want to work on it, someone has started looking at it, but
since 1.0 is supported for several more years, they weren't expecting it
to be an immediate issue and weren't planning on pushing to finish the
support until late 2017.

My guess from seeing the changes for INN is that the vast majority of
packages, which use OpenSSL in a glancing or fairly straightforward way,
won't be difficult to convert.  But security and cryptographic software
that uses OpenSSL heavily and makes extensive use of its less common
corners may require quite a bit of work.  (I think most of it is
mechanical, but lots of mechanical changes are also high-risk because
they're mind-numbing and it's easy to make a small mistake that slips
through unnoticed.)

Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to: