Re: OpenSSL 1.1.0
On Fri, Nov 18, 2016 at 10:22:59PM +0100, Moritz Mühlenhoff wrote:
> Adrian Bunk <bunk@stusta.de> schrieb:
> > And/or get sponsorship from companies for supporting ChaCha20-patched
> > 1.0.2
>
> It's not a matter of whipping up some patch; anything less than an
> official backport of chacha20 into a 1.0.2x release is not going
> to be supportable.
Supporting 1.1.0 in addition to 1.0.2, including 2 years of supporting
1.1.0 after upstream support for it ended - it is confirmed that Debian
is able and willing to support that.
Supporting 1.0.2 only [1] plus chacha20 patched into that - it is not
obvious to me why this would be that much worse in comparison that
it would not be an option under any circumstances.
Whether it is the best available option is a separate question.
My current preference would be stretch 1.0.2-only[2], and an early
buster a year later[3] if Fedora manages to make a release with 1.1
in June.
With dual 1.0.2/1.1 not working in the current release schedule,
what is your preferred solution?
> Cheers,
> Moritz
cu
Adrian
[1] which should see a lot less code changes now that upstream
is focussing on 1.1 and later
[2] with or without ChaCha20 patched
[3] my preference, whether the release team would agree I do not know
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
Reply to: