Re: testing, upgrade of openssl libssl1.1 ( 1.1.0f-3 => 1.1.0f-4 )

[Brian <ad44@cityscape.co.uk>]

On Fri 08 Sep 2017 at 09:33:59 +0200, Sven Hartge wrote:

> Michael Grant <mgrant@grant.org> wrote:
> 
> > If this patch won't go to Stretch as a security fix, then the world is
> > hidden from this until Buster comes out in about 2 years.
> 
> Exactly. Read the discussion(s) in debian-devel about this. The last
> idea was to have Buster semi-broken until shortly before the release and
> then switch back on TLS1.0 and TLS1.1 support.

I didn't quite read it like this. The -devel discussions had a broad
consensus regarding the change in buster but the maintainer has laid
his stall out.

 > My problem is that if we don't do something, TLS 1.0 will be used
 > for an other 10 year, and that's just not acceptable. So I would
 > like to do something so that hopefully by the time Buster releases
 > you can disable TLS 1.0 by default, and that almost no users would
 > need to enable it again.
 >
 > Disabling the protocols is the only way I know how to identify
 > all the problems. And I would like to encourage everybody to
 > contact the other side if things break and get them to upgrade.

There you are. Everyone who is affected by this change can use their
persuasive powers to bring about change. Microsoft, Google etc will
be overwhelmed by the Debian shock troops and fall into line.

And again:

 > I have a patch for that at:
 > https://github.com/openssl/openssl/pull/4128
 >
 > I might upload this soon. The intention is still to ship Buster
 > with TLS 1.0 and 1.1 completly disabled.

Couldn't be clearer. The maintainer does not plan to switch back to
TLS1.0 and TLS1.1 support, even as a configurable option. Fancy
being cannon fodder? ;)

-- 
Brian.