Bug#827061: transition: openssl
On Tue, Oct 25, 2016 at 08:09:06PM +0200, Moritz Muehlenhoff wrote:
> On Wed, Oct 19, 2016 at 10:44:08PM +0200, Kurt Roeckx wrote:
> > On Mon, Oct 17, 2016 at 08:52:31PM +0200, Emilio Pozuelo Monfort wrote:
> > >
> > > I'm sorry but I'm going to have to nack this for Stretch, as much as I like to
> > > approve transitions and get new stuff in. I have looked at the opened bugs and
> > > I'm afraid this still is too disruptive. I have noticed that you have forwarded
> > > some of them and sent patches, and I appreciate that. We can do this early in
> > > the Buster cycle, so let's look at the status of this and prepare for the
> > > transition when Stretch gets released.
> > Is having 2 version of OpenSSL in Stretch an option?
> We've discussed this within the security team and we'd be fine with
> a one-time exception to have two openssl releases in stretch; the API
> changes are clearly too invasive to cover the entire Debian archive,
> but 1.1 also carries sufficiently important new features (like support
> for chacha20/poly1305) to warrant the extra complexity.
What are actually the exact technical benefits of 1.1 that are relevant
for the software in stretch?
Which new features are desirable for all OpenSSL-using software,
and for which new features is it a good option that only software
using these features opts in to using 1.1?
The only way to make chacha20/poly1305 available for all OpenSSL-using
code in stretch would be to patch 1.0.2. Patches are available and
LibreSSL ships this since the original release in July 2014, so that
should be doable.
Improvements to the defaults like #728504 (disable RC4 by default) can
be backported to 1.0.2 even more easily. And these are things that
really should be done in any case, unless stretch ships without 1.0.2
What is the situation regarding other important 1.1 features?
> (It's the release team's call of course).
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed