Re: openssl transition

To: debian-devel@lists.debian.org
Subject: Re: openssl transition
From: Christian Seiler <christian@iwakd.de>
Date: Sun, 30 Oct 2016 11:14:39 +0100
Message-id: <[🔎] ee0f85ac-512c-7a9d-64a1-d1a348b2d92f@iwakd.de>
In-reply-to: <[🔎] 20161030100343.oaii6ads6jhwxwy7@feivel>
References: <[🔎] 1477769244.2030.22.camel@debian.org> <[🔎] 23d8c876-f766-695d-bece-ee92a10c12c0@iwakd.de> <[🔎] 20161030100343.oaii6ads6jhwxwy7@feivel>

On 10/30/2016 11:03 AM, Michael Meskes wrote:
> On Sat, Oct 29, 2016 at 10:04:21PM +0200, Christian Seiler wrote:
>> Well, ideally it'll compile with both OpenSSL 1.0.2 and 1.1 and
>> therefore be binNMU-able. (This has the advantage that such a
>> patch is much more likely to get accepted by upstream.) In that
>> case you can upload a version that Closes: #nnn the RC bug.
> 
> It turned out my packages were easy, they just needed OPENSSL_API_COMPAT to be
> defined accordingly. However, I don't think all upstreams will work like this.
> I can easily see some just requiring OpenSSL 1.1 and change the code
> accordingly. And I doubt it's wise for us to require packages to be patched to
> compile with the old version of OpenSSL, too.

Well, most upstreams will want to support OpenSSL 1.0 for a little
while longer (lots of other distributions are still on OpenSSL 1.0
for the foreseeable future), so any patch that has a chance of
getting accepted by most upstreams will still need to support 1.0
as well as 1.1.

I'm not saying this should be a hard requirement in Debian itself
(I did say "ideally" in my initial reply), but I do think that if
you're touching the code anyway, it's worthwhile to at least
consider that.

>> (Also, if you ever want to backport stuff to jessie-backports, it
>> is necessary to still support building against OpenSSL 1.0 even
>> after the transition. That's not something relevant for all
>> packages, as not everything is going to be backported, but there
>> are definitely some packages that will be affected.)
> 
> What prevents us from backporting OpenSSL?

In principle nothing (once it's in testing, of course), but since
OpenSSL is very security-critical in terms of impact on the number
of packages affected (and there are frequent security updates),
the person doing the backports would have to be _very_ on top of
this for this to work reasonably well. I'm not saying this isn't
going to happen, but you'd need to have someone who'd actually
be willing to make that kind of commitment. Making a package that
you want to backport compile with both 1.1 and 1.0 is probably
less work than maintaining a backport of OpenSSL 1.1.

Regards,
Christian

Reply to:

Follow-Ups:
- Re: openssl transition
  - From: Michael Meskes <meskes@debian.org>

References:
- Re: openssl transition
  - From: Michael Meskes <meskes@debian.org>
- Re: openssl transition
  - From: Christian Seiler <christian@iwakd.de>
- Re: openssl transition
  - From: Michael Meskes <meskes@debian.org>

Prev by Date: Re: NRSS has been deprecated [#696302]
Next by Date: Re: openssl transition
Previous by thread: Re: openssl transition
Next by thread: Re: openssl transition
Index(es):
- Date
- Thread