[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#827061: Please commit to OpenSSL 1.0.2 in stretch now not constantly re-evaluateing

Sam Hartman <hartmans@debian.org> writes:

> Shibboleth comprises opensaml, xmltooling, heavily depends on
> xml-security-c and shibboleth-sp2.

> Ferenc Wágner (copied) has been handling the Shibboleth packaging and
> has an understanding of where the upstream efforts are.  There's been
> discussion on pkg-shibboleth-dev@lists.alioth.debian.org.

Shibboleth upstream has said that they believe the porting effort to be
substantial, since Shibboleth (specifically the lower-level libraries)
heavily use OpenSSL key management and manipulation APIs that are very
affected by the API change, and because (as security software) the
consequences of making a small error in the API change can be very high.

Upstream is working on the changes and on comprehensive tests to ensure
that the port was done correctly, but their timeline doesn't line up well
with our release freeze.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>
Reply to: