[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#827061: transition: openssl

On Wed, Oct 26, 2016 at 10:55:19AM +0200, Emilio Pozuelo Monfort wrote:
> Control: tags -1 confirmed
> 
> On 25/10/16 20:09, Moritz Muehlenhoff wrote:
> > On Wed, Oct 19, 2016 at 10:44:08PM +0200, Kurt Roeckx wrote:
> >> On Mon, Oct 17, 2016 at 08:52:31PM +0200, Emilio Pozuelo Monfort wrote:
> >>>
> >>> I'm sorry but I'm going to have to nack this for Stretch, as much as I like to
> >>> approve transitions and get new stuff in. I have looked at the opened bugs and
> >>> I'm afraid this still is too disruptive. I have noticed that you have forwarded
> >>> some of them and sent patches, and I appreciate that. We can do this early in
> >>> the Buster cycle, so let's look at the status of this and prepare for the
> >>> transition when Stretch gets released.
> >>
> >> Is having 2 version of OpenSSL in Stretch an option?
> > 
> > We've discussed this within the security team and we'd be fine with
> > a one-time exception to have two openssl releases in stretch; the API
> > changes are clearly too invasive to cover the entire Debian archive,
> > but 1.1 also carries sufficiently important new features (like support
> > for chacha20/poly1305) to warrant the extra complexity.
> > 
> > (It's the release team's call of course).
> 
> 19:46 <  nthykier> pochu: seen jmm_ reply to the libssl thread?
> 19:46 <  jcristau> adsb: yay for binary debdiffs in q-v!  thanks a bunch.
> 19:46 <     pochu> yep
> 19:47 <     pochu> nthykier: so my concern was there was a big risk that we
> wouldn't finish the transition intime, delaying the release. but if the security
> team is fine with (potentially, as I'll try not to) shipping both, then we
> should be fine, and I think I'll ack it
> 19:48 <     pochu> of course we'll still try to get rid of the old one
> 19:48 <  nthykier> ack, I think that just made me pro on doing that as well
> 19:48 <     pochu> cool, good to see we're on the same page
> 
> So let's do this. Let's try to get it finished and only ship openssl 1.1. We
> still have three months until the full freeze, and depending on how many
> packages (and which ones, for risk management etc) are left to be fixed after
> that, I may be happy to grant exceptions. But worst case we just ship both.
> 
> But please, wait a little bit so that we can sort out the PIE fallout. You can
> start preparing the updates and upload to experimental to clear NEW if you want.
> We'll let you know once it's ok to upload to sid.

So it has been suggested that we keep the libssl-dev package at
the 1.0.2 package and create a new -dev package for the 1.1
version. We could then lower the severity of the bugs to important
again, and only the packages wanting to make use of 1.1 could
switch then.

I think the most important new security feature in the 1.1.0
version is the extended master secret support. There are also a
bunch of others like the chacha20-poly1305 and x25519, but they're
less important. All TLS using applications really should start
ussing the EMS, not just a few that want to switch to 1.1.


Kurt
Reply to: