Re: OpenSSL 1.1.0

To: debian-devel@lists.debian.org
Subject: Re: OpenSSL 1.1.0
From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Date: Wed, 16 Nov 2016 22:53:18 +0100
Message-id: <[🔎] 20161116215317.lwpt7oaexauiz6x2@breakpoint.cc>
In-reply-to: <[🔎] 20161116174944.mz7rmyb3igzksuiu@bunk.spdns.de>
References: <20160611123036.GA8321@roeckx.be> <[🔎] 08f61c5c-f711-67c9-fc56-c06a5df09868@bzed.de> <[🔎] 1479126404.3441753.787032041.59FC5B5E@webmail.messagingengine.com> <[🔎] 9305320.iY2l6Dq22s@tonks> <[🔎] 20161114155104.kq35t2doyuspqj4z@bongo.bofh.it> <[🔎] e31aa628-9885-2403-bded-d9823f517df6@thykier.net> <[🔎] 20161114221614.s7unwm7v7axkhwc4@bunk.spdns.de> <[🔎] 20161115231538.ket2ziy6mcgfxtxk@breakpoint.cc> <[🔎] 20161116174944.mz7rmyb3igzksuiu@bunk.spdns.de>

On 2016-11-16 19:49:44 [+0200], Adrian Bunk wrote:
> The problem are not specific bugs, the problem is the whole size of the
> problem:
> 
> 1. Sorting out what packages have to stay at 1.0.2
> The majority of OpenSSL-using packages in stretch might end up 
> using 1.0.2 - sorting this out is part of the ongoing OpenSSL
> transition.

You have two choices: either port it to 1.1.0 and stay with 1.0.2.

> 2. OpenSSL 1.1 support is often only build-tested
> We are currently at 650 packages in unstable depending on libssl1.0.2, 
> and when binNMUs will happen we might get a three-digit number of
> new RC bugs like #843988 and #843532.

stunnel was prepared upstream to work with 1.1.0 and it wasn't perfect.
We would also face the same problem if openssl 1.0.2 decided to do a
realloc() at some point. Lucky it did not yet. Some package run a
testsuite so we find bugs there, too.

> 3. Another Debian OpenSSL security fiasco?
> Bugs like #843988 are only about problems that show up immediately.
> This is often code where mistakes can be CVEs, and bug #843988 or
> the comment "With Kurt's patch, apache2 crashes on startup" don't
> make me optimistic regarding silent new security holes.
> Depending on how/if this was applied upstream, these might become
> Debian-specific CVEs.

I forwaded (or tried) my 1.1.0 fixups to upstream. I didn't find alive
upstream for the two perl patches I made and had hope that the debian
maintainer knows how to forwarded them.

> People will remember the last time Debian screwed up badly in the area 
> of OpenSSL, so this could really harm the reputation of Debian.
> 
> 4. Schedule
> The transition freeze was 11 days ago, and the soft freeze is only
> 1.5 months ahead.
> If the work on points 1 and 2 above is not mostly finished
> by December 5th (mandatory 10-day migrations will start, only
> 1 month until the soft freeze), either the OpenSSL transition
> or the release schedule have to be scrapped.

So people still can choose to go for 1.1.0 or 1.0.2. They may work on
1.1.0.

> cu
> Adrian

Sebastian

Reply to:

Follow-Ups:
- Re: OpenSSL 1.1.0
  - From: Adrian Bunk <bunk@stusta.de>

References:
- Re: OpenSSL 1.1.0
  - From: Bernd Zeimetz <bernd@bzed.de>
- Re: OpenSSL 1.1.0
  - From: Ondřej Surý <ondrej@sury.org>
- Re: OpenSSL 1.1.0
  - From: Lisandro Damián Nicanor Pérez Meyer <perezmeyer@gmail.com>
- Re: OpenSSL 1.1.0
  - From: md@Linux.IT (Marco d'Itri)
- Re: OpenSSL 1.1.0
  - From: Niels Thykier <niels@thykier.net>
- Re: OpenSSL 1.1.0
  - From: Adrian Bunk <bunk@stusta.de>
- Re: OpenSSL 1.1.0
  - From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
- Re: OpenSSL 1.1.0
  - From: Adrian Bunk <bunk@stusta.de>

Prev by Date: Re: Unsatisfiable build-dependency in testing
Next by Date: Re: OpenSSL 1.1.0
Previous by thread: Re: OpenSSL 1.1.0
Next by thread: Re: OpenSSL 1.1.0
Index(es):
- Date
- Thread