On Mon, 15 Feb 2016 18:59:46 +0000 "Adam D. Barratt" <
adam@adam-barratt.org.uk> wrote:
> On Mon, 2016-02-15 at 19:46 +0100, Christian Beer wrote:
> > Hi,
> >
> > there are more people reporting that they are directly affected by a bug
> > in the Debian Jessie openssl package where it doesn't check an
> > alternative certificate chain (which is fixed in the latest upstream 1.0.1).
> [...]
> > Right now the combination of openssl and ca-certificates in Debian
> > Jessie is not working for a lot of websites (that they themselves can't
> > fix). I understand the hesitation to upgrade openssl but I would like to
> > return to a working Jessie rather than use an obviously broken one.
>
> If it's that broken, then it should be fixed anyway, regardless of any
> decision of whether or not to accept full upstream releases in to
> Jessie.
>
> Regards,
>
> Adam
As a long-time Debian user who is indirectly affected by this issue, I'd like to see Debian simply adopt the upstream 1.0.2 releases instead of trying to maintain a messy fork that contains a mix of 1.0.1 and backported 1.0.2 changes. Staying as close as possible to upstream benefits Debian by using releases that have been reviewed and tested by both upstream and also other OpenSSL users. Every change backported onto Debian's stable version of OpenSSL also carries the risk of creating a new security vulnerability unique to Debian, and staying close to upstream minimizes this. Although upstream could introduce bugs in their new releases, the same is equally true when Debian makes its own releases from backported changes.