Re: openssl transition

On Thu, Oct 27, 2016 at 2:39 PM, Antti Järvinen <antti.jarvinen@katiska.org> wrote:

While patching -DOPENSSL_API_COMPAT=0x10100000L will help a lot but
code changes are still required in addition to this flag, many
applications allocate OpenSSL data-structures in stack and this is not
supported any more, regardless of -DOPENSSL_API_COMPAT.

This whole "let's shove OpenSSL 1.1 down your throat" is a very bad idea, IMHO.

My upstreams (witty and ace) have no plans to support OpenSSL 1.1 in the next months.

I do not have enough knowledge with OpenSSL to feel comfortable with my patches. I may end up rendering the software insecure.

Does anyone remember the OpenSSL PRNG incident 10 years ago? Are we trying to repeat it?
https://www.schneier.com/blog/archives/2008/05/random_number_b.html

Really, this does look like a huge mistake. Packagers will produce patches that will generate suboptimal, if not straight insecure, software just for their packages not to be removed, and/or to stop those "hey hey, RC bug on you!" mails. Please, delay the "only 1.1 migration" for 1 year.

Pau Garcia i Quiles
http://www.elpauer.org

Reply to:

References:

openssl transition
- From: Jörg Frings-Fürst <debian@jff-webhosting.net>
Re: openssl transition
- From: Antti Järvinen <antti.jarvinen@katiska.org>