Bug#827061: transition: openssl
On 26/10/16 10:55, Emilio Pozuelo Monfort wrote:
> Control: tags -1 confirmed
> On 25/10/16 20:09, Moritz Muehlenhoff wrote:
>> On Wed, Oct 19, 2016 at 10:44:08PM +0200, Kurt Roeckx wrote:
>>> On Mon, Oct 17, 2016 at 08:52:31PM +0200, Emilio Pozuelo Monfort wrote:
>>>> I'm sorry but I'm going to have to nack this for Stretch, as much as I like to
>>>> approve transitions and get new stuff in. I have looked at the opened bugs and
>>>> I'm afraid this still is too disruptive. I have noticed that you have forwarded
>>>> some of them and sent patches, and I appreciate that. We can do this early in
>>>> the Buster cycle, so let's look at the status of this and prepare for the
>>>> transition when Stretch gets released.
>>> Is having 2 version of OpenSSL in Stretch an option?
>> We've discussed this within the security team and we'd be fine with
>> a one-time exception to have two openssl releases in stretch; the API
>> changes are clearly too invasive to cover the entire Debian archive,
>> but 1.1 also carries sufficiently important new features (like support
>> for chacha20/poly1305) to warrant the extra complexity.
>> (It's the release team's call of course).
> 19:46 < nthykier> pochu: seen jmm_ reply to the libssl thread?
> 19:46 < jcristau> adsb: yay for binary debdiffs in q-v! thanks a bunch.
> 19:46 < pochu> yep
> 19:47 < pochu> nthykier: so my concern was there was a big risk that we
> wouldn't finish the transition intime, delaying the release. but if the security
> team is fine with (potentially, as I'll try not to) shipping both, then we
> should be fine, and I think I'll ack it
> 19:48 < pochu> of course we'll still try to get rid of the old one
> 19:48 < nthykier> ack, I think that just made me pro on doing that as well
> 19:48 < pochu> cool, good to see we're on the same page
> So let's do this. Let's try to get it finished and only ship openssl 1.1. We
> still have three months until the full freeze, and depending on how many
> packages (and which ones, for risk management etc) are left to be fixed after
> that, I may be happy to grant exceptions. But worst case we just ship both.
> But please, wait a little bit so that we can sort out the PIE fallout. You can
> start preparing the updates and upload to experimental to clear NEW if you want.
> We'll let you know once it's ok to upload to sid.
> BTW I noticed Fedora has started this transition as well, so they may have some
> patches that we are missing in the BTS.
> Also, please bump all the bugs to serious.
Adrian Bunk asked whether mixing both OpenSSL versions into the same address
space works fine. Is OpenSSL using symbol versioning? Is this situation
supported or should we expect things to break? This can easily happen if an app
links against a library libA which uses openssl 1.0, and against libB which uses