[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#827061: Please commit to OpenSSL 1.0.2 in stretch now not constantly re-evaluateing

My understanding of the current plan is that we're adding openssl 1.1.0
to unstable, but will make a decision about whether to drop libssl1.0.2

That's really frustrating for the rest of the ecosystem--our users and
our upstreams, and I'd ask the release team to commit now to 1.0.2 being
available for stretch.

At least one of the clusters of packages I'm involved in--shibboleth and
moonshot will require some real upstream porting effort.
That's under way in a time scale that will work for  buster, but is very
unlikely to meet the stretch freeze timeline.

It's possible that resources could be reprioritized and that with a
fairly agressive scramble, we could get things working with OpenSSL 1.1
in time for stretch.
However money and time are finite.
That would take away from other priorities and would have significant
risks in terms of stability.

Debian matters in the larger ecosystems, and we owe it to our upstreams
and our users to decide now whether we're asking people to make those
sort of mad scrambles.
I think we should not.  Regardless, decisions now matter.

Thanks for your consideration,


Reply to: