Bug#827061: transition: openssl

To: Kurt Roeckx <kurt@roeckx.be>, 827061@bugs.debian.org
Cc: Emilio Pozuelo Monfort <pochu@debian.org>, Moritz Muehlenhoff <jmm@debian.org>, Niels Thykier <niels@thykier.net>
Subject: Bug#827061: transition: openssl
From: Adrian Bunk <bunk@stusta.de>
Date: Sun, 30 Oct 2016 22:18:32 +0200
Message-id: <[🔎] 20161030201832.yxc4skdtpx252ol6@bunk.spdns.de>
Reply-to: Adrian Bunk <bunk@stusta.de>, 827061@bugs.debian.org
In-reply-to: <[🔎] 20161029002811.femkflr3kcjarsbt@roeckx.be>
References: <20160611185953.GA5730@roeckx.be> <1c8f9db8-5693-8fea-ced4-baac39b50bef@debian.org> <20160611194259.GA6864@roeckx.be> <20160918193342.ceb3exgts6illbfq@roeckx.be> <[🔎] 20161012204732.r3kowe6xszotwv4u@roeckx.be> <[🔎] b0280950-8a57-89b3-d321-584c083b95be@debian.org> <[🔎] 20161019204408.axgeshilz3zvsizr@roeckx.be> <[🔎] 20161025180906.eg2ahmslxkdgiai3@pisco.westfalen.local> <[🔎] bd47f8b3-1b83-cecf-fbd4-1cad21e8decd@debian.org> <[🔎] 20161029002811.femkflr3kcjarsbt@roeckx.be>

Disclaimer:
I am not a member of the release team, and I am only speaking for myself.

On Sat, Oct 29, 2016 at 02:28:12AM +0200, Kurt Roeckx wrote:
>...
> I think the most important new security feature in the 1.1.0
> version is the extended master secret support. There are also a
> bunch of others like the chacha20-poly1305 and x25519, but they're
> less important. All TLS using applications really should start
> ussing the EMS, not just a few that want to switch to 1.1.

This implies that OpenSSL 1.0.2 in stretch has to support EMS.

Reality is that a significant part of the archive will likely
use 1.0.2 in stretch, and planning should not be based on the
unlikely case that everything compiles and works smoothly with 1.1.0

The soft freeze is only 2 months away, and therefore a complete 
transition to 1.1.0 in stretch would imply that libssl1.0.2 must be 
removed from testing in November if it should not delay the whole 
release - I'd expect there will be plenty of runtime bugs in both 
OpenSSL itself and the 1.1.0 support of various users that will
require debugging and fixing, and runtime testing of everything
has to start ASAP.

If everything that is important in 1.1.0 should be used by all
users of OpenSSL in stretch, then the best solution for stretch
is to ship only 1.0.2 and add all desired features there.

1.0.2 is also LTS, and has upstream security support for an additional 
16 months after upstream support for 1.1.0 has ended.

I am aware that this is not a nice solution, but since there does not 
seem to be a realistic 1.1.0-only solution without impact on the release 
schedule it might be the best among the available options.

> Kurt

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

Reply to:

Follow-Ups:
- Bug#827061: transition: openssl
  - From: Kurt Roeckx <kurt@roeckx.be>

References:
- Bug#827061: transition: openssl
  - From: Kurt Roeckx <kurt@roeckx.be>
- Bug#827061: transition: openssl
  - From: Emilio Pozuelo Monfort <pochu@debian.org>
- Bug#827061: transition: openssl
  - From: Kurt Roeckx <kurt@roeckx.be>
- Bug#827061: transition: openssl
  - From: Moritz Muehlenhoff <jmm@debian.org>
- Bug#827061: transition: openssl
  - From: Emilio Pozuelo Monfort <pochu@debian.org>
- Bug#827061: transition: openssl
  - From: Kurt Roeckx <kurt@roeckx.be>

Prev by Date: Re: Architecture qualification meeting
Next by Date: Bug#827061: transition: openssl
Previous by thread: Bug#827061: transition: openssl
Next by thread: Bug#827061: transition: openssl
Index(es):
- Date
- Thread