[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#827061: transition: openssl

I am not a member of the release team, and I am only speaking for myself.

On Sat, Oct 29, 2016 at 02:28:12AM +0200, Kurt Roeckx wrote:
> I think the most important new security feature in the 1.1.0
> version is the extended master secret support. There are also a
> bunch of others like the chacha20-poly1305 and x25519, but they're
> less important. All TLS using applications really should start
> ussing the EMS, not just a few that want to switch to 1.1.

This implies that OpenSSL 1.0.2 in stretch has to support EMS.

Reality is that a significant part of the archive will likely
use 1.0.2 in stretch, and planning should not be based on the
unlikely case that everything compiles and works smoothly with 1.1.0

The soft freeze is only 2 months away, and therefore a complete 
transition to 1.1.0 in stretch would imply that libssl1.0.2 must be 
removed from testing in November if it should not delay the whole 
release - I'd expect there will be plenty of runtime bugs in both 
OpenSSL itself and the 1.1.0 support of various users that will
require debugging and fixing, and runtime testing of everything
has to start ASAP.

If everything that is important in 1.1.0 should be used by all
users of OpenSSL in stretch, then the best solution for stretch
is to ship only 1.0.2 and add all desired features there.

1.0.2 is also LTS, and has upstream security support for an additional 
16 months after upstream support for 1.1.0 has ended.

I am aware that this is not a nice solution, but since there does not 
seem to be a realistic 1.1.0-only solution without impact on the release 
schedule it might be the best among the available options.

> Kurt



       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

Reply to: