Re: OpenSSL 1.1.0

To: debian-devel@lists.debian.org
Subject: Re: OpenSSL 1.1.0
From: Adrian Bunk <bunk@stusta.de>
Date: Wed, 16 Nov 2016 19:49:44 +0200
Message-id: <[🔎] 20161116174944.mz7rmyb3igzksuiu@bunk.spdns.de>
In-reply-to: <[🔎] 20161115231538.ket2ziy6mcgfxtxk@breakpoint.cc>
References: <20160611123036.GA8321@roeckx.be> <[🔎] 08f61c5c-f711-67c9-fc56-c06a5df09868@bzed.de> <[🔎] 1479126404.3441753.787032041.59FC5B5E@webmail.messagingengine.com> <[🔎] 9305320.iY2l6Dq22s@tonks> <[🔎] 20161114155104.kq35t2doyuspqj4z@bongo.bofh.it> <[🔎] e31aa628-9885-2403-bded-d9823f517df6@thykier.net> <[🔎] 20161114221614.s7unwm7v7axkhwc4@bunk.spdns.de> <[🔎] 20161115231538.ket2ziy6mcgfxtxk@breakpoint.cc>

On Wed, Nov 16, 2016 at 12:15:39AM +0100, Sebastian Andrzej Siewior wrote:
> On 2016-11-15 00:16:14 [+0200], Adrian Bunk wrote:
> > And since 80% of all OpenSSL-using packages in unstable are still
> > using libssl1.0.2 (binNMUs have not yet happened), all runtime
> > issues observed so far are only the tip of the iceberg.
> > Bugs like "With Kurt's patch, apache2 crashes on startup with an invalid free." 
> > or #843988 will be a common sight on the list of RC bugs for several
> > months in any scenario with OpenSSL 1.1 as default.
> Are you afraid of bugs or that nobody will look after them? Can't speak
> for apache but #843988 got patched and so did #843532.

The problem are not specific bugs, the problem is the whole size of the
problem:

1. Sorting out what packages have to stay at 1.0.2
The majority of OpenSSL-using packages in stretch might end up 
using 1.0.2 - sorting this out is part of the ongoing OpenSSL
transition.

2. OpenSSL 1.1 support is often only build-tested
We are currently at 650 packages in unstable depending on libssl1.0.2, 
and when binNMUs will happen we might get a three-digit number of
new RC bugs like #843988 and #843532.

3. Another Debian OpenSSL security fiasco?
Bugs like #843988 are only about problems that show up immediately.
This is often code where mistakes can be CVEs, and bug #843988 or
the comment "With Kurt's patch, apache2 crashes on startup" don't
make me optimistic regarding silent new security holes.
Depending on how/if this was applied upstream, these might become
Debian-specific CVEs.
People will remember the last time Debian screwed up badly in the area 
of OpenSSL, so this could really harm the reputation of Debian.

4. Schedule
The transition freeze was 11 days ago, and the soft freeze is only
1.5 months ahead.
If the work on points 1 and 2 above is not mostly finished
by December 5th (mandatory 10-day migrations will start, only
1 month until the soft freeze), either the OpenSSL transition
or the release schedule have to be scrapped.

> Sebastian

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

Reply to:

Follow-Ups:
- Re: OpenSSL 1.1.0
  - From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>

References:
- Re: OpenSSL 1.1.0
  - From: Bernd Zeimetz <bernd@bzed.de>
- Re: OpenSSL 1.1.0
  - From: Ondřej Surý <ondrej@sury.org>
- Re: OpenSSL 1.1.0
  - From: Lisandro Damián Nicanor Pérez Meyer <perezmeyer@gmail.com>
- Re: OpenSSL 1.1.0
  - From: md@Linux.IT (Marco d'Itri)
- Re: OpenSSL 1.1.0
  - From: Niels Thykier <niels@thykier.net>
- Re: OpenSSL 1.1.0
  - From: Adrian Bunk <bunk@stusta.de>
- Re: OpenSSL 1.1.0
  - From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>

Prev by Date: Re: OpenSSL 1.1.0
Next by Date: Re: OpenSSL 1.1.0
Previous by thread: Re: OpenSSL 1.1.0
Next by thread: Re: OpenSSL 1.1.0
Index(es):
- Date
- Thread