Re: OpenSSL 1.1.0

[Moritz Mühlenhoff <jmm@inutil.org>]

Adrian Bunk <bunk@stusta.de> schrieb:
> On Tue, Nov 15, 2016 at 09:37:01AM -0300, Lisandro Damián Nicanor Pérez Meyer wrote:
>> On lunes, 14 de noviembre de 2016 16:51:04 ART Marco d'Itri wrote:
>> > On Nov 14, Lisandro Damián Nicanor Pérez Meyer <perezmeyer@gmail.com> wrote:
>> > > And yes, I would step back and switch libssl-dev to provide libssl1.0-dev
>> > > and have libssl1.1-dev around for anyone who can really do the switch.
>> > I would not: OpenSSL 1.0 does not support ChaCha20 so it would be a very
>> > bad default for next year's release.
>> > Bad enough that I would have to use a different distribution for some
>> > web servers.
>> 
>> That's why I wrote:
>> 
>>   And if we **really** need to switch to libssl1.1 then we **really** need to
>>   delay the release by 6 months as a very minimum, maybe 1 year.
>> 
>> Yes, I also know that it sounds awful, but do we have another way out?
>
> Yes, patching the OpenSSL 1.1 features that are really needed into the
> Debian OpenSSL 1.0.2 package.
>
> For ChaCha20 that's existing patches that are already being used
> elsewhere.

That's not an option, while there's an external patch for chacha20/poly
by cloudflare it hasn't been upstreamed and we cannot cover it with
security support in a meaningful manner. And other features are not
backportable at all.

Kurt has already asked who would do the backports and support them in
https://lists.debian.org/debian-release/2016/10/msg00609.html, so stop
pretending that's a genuine option.