Accepted golang-github-mendersoftware-openssl 1.1.0-4 (source) into unstable

: golang-github-mendersoftware-openssl (1.1.0-4) unstable; urgency=medium . * Depend on pkg-config * Add myself to Uploaders * Set upstream metadata fields: Repository, Repository-Browse. Checksums-Sha1: ab5298487c07510b6583d46488cb6806fd952a64 2444 golang-github-mendersoftware

Accepted tpm2-openssl 1.1.0-2 (source) into unstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Mon, 16 May 2022 11:01:50 +0100 Source: tpm2-openssl Architecture: source Version: 1.1.0-2 Distribution: unstable Urgency: medium Maintainer: Luca Boccassi Changed-By: Luca Boccassi Closes: 1004491 Changes: tpm2-openssl (1.1.0-2

Accepted golang-github-mendersoftware-openssl 1.1.0-3 (source) into unstable

: 996422 Changes: golang-github-mendersoftware-openssl (1.1.0-3) unstable; urgency=medium . * Team upload. * Add patches from Ubuntu to fix compatibility with openSSLv3 and skip a network test (Closes: #996422) * Bump Standards-Version to 4.6.1 (no changes needed) * Bump debhelper

Accepted tpm2-openssl 1.1.0-1 (source) into experimental

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sat, 26 Mar 2022 13:49:54 + Source: tpm2-openssl Architecture: source Version: 1.1.0-1 Distribution: experimental Urgency: medium Maintainer: Luca Boccassi Changed-By: Luca Boccassi Changes: tpm2-openssl (1.1.0-1

Accepted golang-github-mendersoftware-openssl 1.1.0-2 (source) into unstable

: golang-github-mendersoftware-openssl (1.1.0-2) unstable; urgency=medium . * d/control: remove double space in description * d/copyright: Fix lintian issue, space in license short name . golang-github-mendersoftware-openssl (1.1.0-1) unstable; urgency=medium . * New upstream version 1.1.0

Re: OpenSSL 1.1.0

Hello, On Wed, Nov 16, 2016 at 04:03:04PM +, Jonathan Wiltshire wrote: > On 2016-11-16 12:26, Ian Jackson wrote: > > In the absence of input from the openssl maintainers, I would like to > > ask the Release Team's opinion. > > > > If we are going to wind back on this change we should do it

Re: OpenSSL 1.1.0

On viernes, 25 de noviembre de 2016 10:38:00 ART Stepan Golosunov wrote: > 25.11.2016 в 02:07:11 +0100 Jan Niehusmann написал: > > On Fri, Nov 25, 2016 at 01:56:19AM +0400, Stepan Golosunov wrote: > > > qsslsocket_openssl_symbols.cpp also tries to load any libssl.* it can > > > find (in

Re: OpenSSL 1.1.0

25.11.2016 в 02:07:11 +0100 Jan Niehusmann написал: > On Fri, Nov 25, 2016 at 01:56:19AM +0400, Stepan Golosunov wrote: > > qsslsocket_openssl_symbols.cpp also tries to load any libssl.* it can > > find (in directories gathered from dl_iterate_phdr) when it cannot > > find libssl.so.. This asks

Re: OpenSSL 1.1.0

On Fri, Nov 25, 2016 at 01:56:19AM +0400, Stepan Golosunov wrote: > qsslsocket_openssl_symbols.cpp also tries to load any libssl.* it can > find (in directories gathered from dl_iterate_phdr) when it cannot > find libssl.so.. This asks for trouble when > libssl1.0.2 is not installed and probably

Re: OpenSSL 1.1.0

24.11.2016 в 00:37:01 +0100 Kurt Roeckx написал: > I've always had the impression that there are or used to be > probems using using dlopen()/dlsym(). Maybe related to some things > like RTDL_GLOBAL that causes the symbol lookup to go to the wrong > library. Do you know of any problems related to

Re: OpenSSL 1.1.0

On Thu, Nov 24, 2016 at 07:23:22PM +0200, Adrian Bunk wrote: > If both b-dev and c-dev would depend on the libssl*-dev they use, Which is not always the case, now. qtbase5-private-dev exposes lots of internal OpenSSL structures, but doesn't depend on any OpenSSL package. libcurl4-openssl-dev

Re: OpenSSL 1.1.0

On Thu, Nov 24, 2016 at 02:50:23PM -0200, Henrique de Moraes Holschuh wrote: > On Thu, 24 Nov 2016, Adrian Bunk wrote: > > On Wed, Nov 23, 2016 at 11:50:12PM -0200, Henrique de Moraes Holschuh wrote: > > > On Thu, 24 Nov 2016, Kurt Roeckx wrote: > > >... > > > > > So, if Qt *ever* exposes its use

Re: OpenSSL 1.1.0

On Thu, 24 Nov 2016, Adrian Bunk wrote: > On Wed, Nov 23, 2016 at 11:50:12PM -0200, Henrique de Moraes Holschuh wrote: > > On Thu, 24 Nov 2016, Kurt Roeckx wrote: > >... > > > > So, if Qt *ever* exposes its use of openssl anywere in its APIs, it > > > > might not be safe. If it doesn't (i.e. at

Re: OpenSSL 1.1.0

On Thu, Nov 24, 2016 at 03:20:06PM +0100, Jan Niehusmann wrote: > On Thu, Nov 24, 2016 at 03:59:10PM +0200, Adrian Bunk wrote: > > If inspection is not easily possible, then adding a dependency on > > libssl1.0-dev to qtbase5-private-dev should be sufficient to > > ensure that this is not leaked

Re: OpenSSL 1.1.0

On jueves, 24 de noviembre de 2016 15:20:06 ART Jan Niehusmann wrote: > On Thu, Nov 24, 2016 at 03:59:10PM +0200, Adrian Bunk wrote: > > If inspection is not easily possible, then adding a dependency on > > libssl1.0-dev to qtbase5-private-dev should be sufficient to > > ensure that this is not

Re: OpenSSL 1.1.0

On Thu, Nov 24, 2016 at 03:59:10PM +0200, Adrian Bunk wrote: > If inspection is not easily possible, then adding a dependency on > libssl1.0-dev to qtbase5-private-dev should be sufficient to > ensure that this is not leaked to a different OpenSSL version. I see two disadvantages: 1) doesn't

Re: OpenSSL 1.1.0

On Wed, Nov 23, 2016 at 11:50:12PM -0200, Henrique de Moraes Holschuh wrote: > On Thu, 24 Nov 2016, Kurt Roeckx wrote: >... > > > So, if Qt *ever* exposes its use of openssl anywere in its APIs, it > > > might not be safe. If it doesn't (i.e. at most you have a qt flag that > > > says "use SSL",

Re: OpenSSL 1.1.0

On jueves, 24 de noviembre de 2016 00:37:01 ART Kurt Roeckx wrote: [snip] > > So, if Qt *ever* exposes its use of openssl anywere in its APIs, it > > might not be safe. If it doesn't (i.e. at most you have a qt flag that > > says "use SSL", etc), then it should be fine. > > It seems to be

Re: OpenSSL 1.1.0

On Thu, 24 Nov 2016, Kurt Roeckx wrote: > I've always had the impression that there are or used to be > probems using using dlopen()/dlsym(). Maybe related to some things > like RTDL_GLOBAL that causes the symbol lookup to go to the wrong > library. Do you know of any problems related to that?

Re: OpenSSL 1.1.0

On Mon, Nov 21, 2016 at 11:30:13AM -0200, Henrique de Moraes Holschuh wrote: > On Mon, Nov 21, 2016, at 11:06, Jan Niehusmann wrote: > > On Mon, Nov 21, 2016 at 11:11:09AM +0100, Tino Mettler wrote: > > > At the end I noticed that Qt will stay at 1.0 (by glancing into the > > > changelog of the

Re: OpenSSL 1.1.0

Henrique de Moraes Holschuh writes: > The linking is fine, I believe even any eventual globals (if any) will > be correctly handled in Debian nowadays. What causes extremely nasty Someone confirm following is true: both application using 1.1 and library (qt in my example) using 1.0 both create

Re: OpenSSL 1.1.0

Bernd Zeimetz writes: > On 11/21/2016 03:35 AM, Clint Adams wrote: >> On Sun, Nov 20, 2016 at 01:57:52PM +0100, Marco d'Itri wrote: >>> I do not think that anybody has been considering GnuTLS as a credible >>> replacement for a very long time. >> That's very silly. > No, its

Re: OpenSSL 1.1.0

On 11/21/2016 03:35 AM, Clint Adams wrote: > On Sun, Nov 20, 2016 at 01:57:52PM +0100, Marco d'Itri wrote: >> I do not think that anybody has been considering GnuTLS as a credible >> replacement for a very long time. > > That's very silly. No, its the truth unfortunately. -- Bernd Zeimetz

Re: OpenSSL 1.1.0

On lunes, 21 de noviembre de 2016 11:30:13 ART Henrique de Moraes Holschuh wrote: > On Mon, Nov 21, 2016, at 11:06, Jan Niehusmann wrote: > > On Mon, Nov 21, 2016 at 11:11:09AM +0100, Tino Mettler wrote: > > > At the end I noticed that Qt will stay at 1.0 (by glancing into the > > > changelog of

Re: OpenSSL 1.1.0

On Mon, Nov 21, 2016, at 11:06, Jan Niehusmann wrote: > On Mon, Nov 21, 2016 at 11:11:09AM +0100, Tino Mettler wrote: > > At the end I noticed that Qt will stay at 1.0 (by glancing into the > > changelog of the relevant upload) which means that my package also has > > to to stay at 1.0 and the

Re: OpenSSL 1.1.0

Hi, On Mon, Nov 21, 2016 at 11:11:09AM +0100, Tino Mettler wrote: > At the end I noticed that Qt will stay at 1.0 (by glancing into the > changelog of the relevant upload) which means that my package also has > to to stay at 1.0 and the whole excitement resulted in just a changed > build-dep.

Re: OpenSSL 1.1.0

On Thu, Nov 17, 2016 at 13:10:40 +0200, Adrian Bunk wrote: [...] > Is everyone aware that this choice is per-cluster and not per-package? Hi, one of my packages uses OpenSSL and Qt. I tried to inform upstream regarding the plans for 1.1 in Stretch because the package FTBFS with 1.1 as it uses

Re: OpenSSL 1.1.0

On Sunday, November 20, 2016 12:49:13 AM Kurt Roeckx wrote: > On Sat, Nov 19, 2016 at 10:32:58PM +0100, Ondrej Novy wrote: > > Hi, > > > > 2016-11-19 21:06 GMT+01:00 Kurt Roeckx : > > > Chacha20 would be a new feature. Following the policy that can't > > > be added in a 1.0.2

Re: OpenSSL 1.1.0

On Sun, Nov 20, 2016 at 01:57:52PM +0100, Marco d'Itri wrote: > I do not think that anybody has been considering GnuTLS as a credible > replacement for a very long time. That's very silly.

Re: OpenSSL 1.1.0

Adrian Bunk schrieb: > Supporting 1.0.2 only [1] plus chacha20 patched into that - it is not > obvious to me why this would be that much worse in comparison that > it would not be an option under any circumstances. That patch has never been upstreamed and is not something we can

Re: OpenSSL 1.1.0

Stefan Fritsch schrieb: > On Friday, 18 November 2016 22:22:59 CET Moritz Mühlenhoff wrote: >> Adrian Bunk schrieb: >> > And/or get sponsorship from companies for supporting ChaCha20-patched >> > 1.0.2 >> >> It's not a matter of whipping up some patch; anything

Re: OpenSSL 1.1.0

On Nov 19, Simon Richter wrote: > My dream solution at this point would be to organize a week-long > hackfest somewhere where we move everything to GnuTLS if possible. I do not think that anybody has been considering GnuTLS as a credible replacement for a very long time. A few

Re: OpenSSL 1.1.0

On 11/19/2016 11:59 PM, Simon Richter wrote: > My dream solution at this point would be to organize a week-long > hackfest somewhere where we move everything to GnuTLS if possible. Are you sure that makes things better? I've seen too many weird issues with GnuTLS. What about LibreSSL? --

Re: OpenSSL 1.1.0

On Sat, Nov 19, 2016 at 10:32:58PM +0100, Ondrej Novy wrote: > Hi, > > 2016-11-19 21:06 GMT+01:00 Kurt Roeckx : > > > Chacha20 would be a new feature. Following the policy that can't > > be added in a 1.0.2 version, only bugs get fixed in it. > > > > yep, they don't add new

Re: testing OpenSSL 1.1.0 on jessie

On 2016-11-18 15:53:20 [+0100], Daniel Pocock wrote: > Is this correct? I have thrown it on sbuild with a Jessie environment and I got more header files. There is a build log [0] around and this directory cointains also the resulting .deb files. [0]

Re: OpenSSL 1.1.0

Hi, On 19.11.2016 23:07, Marco d'Itri wrote: >> plugin messes with those internals. For example, for apache2 there is >> gridsite >> which uses mod_ssl private interfaces and a private copy of a header from >> the >> apache2 sources to get access to the SSL context. Finding all such issues

Re: OpenSSL 1.1.0

On Nov 19, Stefan Fritsch wrote: > plugin messes with those internals. For example, for apache2 there is > gridsite > which uses mod_ssl private interfaces and a private copy of a header from the > apache2 sources to get access to the SSL context. Finding all such issues in

Re: OpenSSL 1.1.0

Hi, 2016-11-19 21:06 GMT+01:00 Kurt Roeckx : > Chacha20 would be a new feature. Following the policy that can't > be added in a 1.0.2 version, only bugs get fixed in it. > yep, they don't add new feature, but break API between 1.1.0b->c release:

Re: OpenSSL 1.1.0

On Sat, Nov 19, 2016 at 06:30:06PM +0100, Bernd Zeimetz wrote: > On 11/17/2016 12:40 AM, Kurt Roeckx wrote: > > On Mon, Nov 14, 2016 at 07:10:00PM +, Niels Thykier wrote: > >> > >> The alternative for ChaCha20 would be to adopt Cloudflare's patches[1], > >> but that sort of assumes that you

Re: OpenSSL 1.1.0

On 11/17/2016 12:40 AM, Kurt Roeckx wrote: > On Mon, Nov 14, 2016 at 07:10:00PM +, Niels Thykier wrote: >> >> The alternative for ChaCha20 would be to adopt Cloudflare's patches[1], >> but that sort of assumes that you are only interested in openssl 1.1 for >> ChaCha20 (and not the other

Re: OpenSSL 1.1.0

On Friday, 18 November 2016 22:22:59 CET Moritz Mühlenhoff wrote: > Adrian Bunk schrieb: > > And/or get sponsorship from companies for supporting ChaCha20-patched > > 1.0.2 > > It's not a matter of whipping up some patch; anything less than an > official backport of chacha20 into

Re: testing OpenSSL 1.1.0 on jessie

On 18/11/16 21:09, Kurt Roeckx wrote: > On Fri, Nov 18, 2016 at 02:22:23PM -0500, Zack Weinberg wrote: >> Daniel Pocock wrote: >>> I wanted to try compiling some upstream projects against OpenSSL 1.1.0 >>> on jessie, without installing the package though. I tried the

Re: OpenSSL 1.1.0

On Fri, Nov 18, 2016 at 10:22:59PM +0100, Moritz Mühlenhoff wrote: > Adrian Bunk schrieb: > > And/or get sponsorship from companies for supporting ChaCha20-patched > > 1.0.2 > > It's not a matter of whipping up some patch; anything less than an > official backport of chacha20

Re: testing OpenSSL 1.1.0 on jessie

Nov 18, 2016 at 03:53:20PM +0100, Daniel Pocock wrote: > >>>> > >>>> > >>>> I wanted to try compiling some upstream projects against OpenSSL 1.1.0 > >>>> on jessie, without installing the package though. > >>>>

Re: OpenSSL 1.1.0

Adrian Bunk schrieb: > And/or get sponsorship from companies for supporting ChaCha20-patched > 1.0.2 It's not a matter of whipping up some patch; anything less than an official backport of chacha20 into a 1.0.2x release is not going to be supportable. Cheers, Moritz

Re: testing OpenSSL 1.1.0 on jessie

On 18/11/16 22:12, Kurt Roeckx wrote: > On Fri, Nov 18, 2016 at 09:15:53PM +0100, Daniel Pocock wrote: >> >> >> On 18/11/16 21:10, Kurt Roeckx wrote: >>> On Fri, Nov 18, 2016 at 03:53:20PM +0100, Daniel Pocock wrote: >>>> >>>> >>>>

Re: testing OpenSSL 1.1.0 on jessie

On Fri, Nov 18, 2016 at 09:15:53PM +0100, Daniel Pocock wrote: > > > On 18/11/16 21:10, Kurt Roeckx wrote: > > On Fri, Nov 18, 2016 at 03:53:20PM +0100, Daniel Pocock wrote: > >> > >> > >> I wanted to try compiling some upstream projects against OpenSS

Re: testing OpenSSL 1.1.0 on jessie

On 18/11/16 21:10, Kurt Roeckx wrote: > On Fri, Nov 18, 2016 at 03:53:20PM +0100, Daniel Pocock wrote: >> >> >> I wanted to try compiling some upstream projects against OpenSSL 1.1.0 >> on jessie, without installing the package though. >> >> I tri

Re: testing OpenSSL 1.1.0 on jessie

On Fri, Nov 18, 2016 at 03:53:20PM +0100, Daniel Pocock wrote: > > > I wanted to try compiling some upstream projects against OpenSSL 1.1.0 > on jessie, without installing the package though. > > I tried the following: > > dget -x > http://http.debian.net

Re: testing OpenSSL 1.1.0 on jessie

On Fri, Nov 18, 2016 at 02:22:23PM -0500, Zack Weinberg wrote: > Daniel Pocock wrote: > > I wanted to try compiling some upstream projects against OpenSSL 1.1.0 > > on jessie, without installing the package though. I tried the following: > > > > dget -x > > http:/

Re: testing OpenSSL 1.1.0 on jessie

Daniel Pocock wrote: > I wanted to try compiling some upstream projects against OpenSSL 1.1.0 > on jessie, without installing the package though. I tried the following: > > dget -x http://http.debian.net/debian/pool/main/o/openssl/openssl_1.1.0c-1.dsc > > cd openssl-1.1.0c/ &

testing OpenSSL 1.1.0 on jessie

I wanted to try compiling some upstream projects against OpenSSL 1.1.0 on jessie, without installing the package though. I tried the following: dget -x http://http.debian.net/debian/pool/main/o/openssl/openssl_1.1.0c-1.dsc cd openssl-1.1.0c/ dpkg-buildpackage -rfakeroot -j13 and it builds

Re: OpenSSL 1.1.0

On Thu, Nov 17, 2016 at 10:43:53PM +0100, Moritz Mühlenhoff wrote: > Adrian Bunk schrieb: > > On Tue, Nov 15, 2016 at 09:37:01AM -0300, Lisandro Damián Nicanor Pérez > > Meyer wrote: > >> On lunes, 14 de noviembre de 2016 16:51:04 ART Marco d'Itri wrote: > >> > On Nov 14,

Re: OpenSSL 1.1.0

Adrian Bunk schrieb: > On Tue, Nov 15, 2016 at 09:37:01AM -0300, Lisandro Damián Nicanor Pérez Meyer > wrote: >> On lunes, 14 de noviembre de 2016 16:51:04 ART Marco d'Itri wrote: >> > On Nov 14, Lisandro Damián Nicanor Pérez Meyer >> > wrote: >> > > And

Re: OpenSSL 1.1.0

Hi, > > OpenSSL 1.0 + 1.1 > == > > * Every package will be buildable but we can expect surprises on > runtime due to dlopen'ed libraries, indirect use, etc > * Release delay seems certain but difficult to determine > * Even with a release delay, we cannot be 100% sure all the

Re: OpenSSL 1.1.0

On Wed, Nov 16, 2016 at 10:53:18PM +0100, Sebastian Andrzej Siewior wrote: > On 2016-11-16 19:49:44 [+0200], Adrian Bunk wrote: > > The problem are not specific bugs, the problem is the whole size of the > > problem: > > > > 1. Sorting out what packages have to stay at 1.0.2 > > The majority of

Re: OpenSSL 1.1.0

On Thu, Nov 17, 2016 at 12:27:43AM -0500, Scott Kitterman wrote: > On Wednesday, November 16, 2016 10:04:00 PM Lisandro Damián Nicanor Pérez > Meyer wrote: > > On jueves, 17 de noviembre de 2016 00:40:42 ART Kurt Roeckx wrote: > > > On Mon, Nov 14, 2016 at 07:10:00PM +, Niels Thykier wrote: >

Re: OpenSSL 1.1.0

On Wednesday, November 16, 2016 10:04:00 PM Lisandro Damián Nicanor Pérez Meyer wrote: > On jueves, 17 de noviembre de 2016 00:40:42 ART Kurt Roeckx wrote: > > On Mon, Nov 14, 2016 at 07:10:00PM +, Niels Thykier wrote: > > > The alternative for ChaCha20 would be to adopt Cloudflare's

Re: OpenSSL 1.1.0

On jueves, 17 de noviembre de 2016 00:40:42 ART Kurt Roeckx wrote: > On Mon, Nov 14, 2016 at 07:10:00PM +, Niels Thykier wrote: > > The alternative for ChaCha20 would be to adopt Cloudflare's patches[1], > > but that sort of assumes that you are only interested in openssl 1.1 for > > ChaCha20

Re: OpenSSL 1.1.0

On Mon, Nov 14, 2016 at 07:10:00PM +, Niels Thykier wrote: > > The alternative for ChaCha20 would be to adopt Cloudflare's patches[1], > but that sort of assumes that you are only interested in openssl 1.1 for > ChaCha20 (and not the other changes). I'm not willing to maintain such a patch.

Re: OpenSSL 1.1.0

On 2016-11-16 12:26:55 [+], Ian Jackson wrote: > If we decide to wind back the transition and the openssl maintainers > continue not to be available (within the short timeframes required), > we have a lot of people who could competently prepare an NMU. NMU openssl back to 1.0.2 or its rdeps

Re: OpenSSL 1.1.0

On 2016-11-16 19:49:44 [+0200], Adrian Bunk wrote: > The problem are not specific bugs, the problem is the whole size of the > problem: > > 1. Sorting out what packages have to stay at 1.0.2 > The majority of OpenSSL-using packages in stretch might end up > using 1.0.2 - sorting this out is part

Re: OpenSSL 1.1.0

Ian Jackson: > Ian Jackson writes ("Re: OpenSSL 1.1.0"): > [...] > > I was not able to find the message where the release team gave > permission for the upload of openssl 1.1.x (in particular, the new > version of libssl-dev) to unstable, that started the transitio

Re: OpenSSL 1.1.0

On Wed, Nov 16, 2016 at 12:15:39AM +0100, Sebastian Andrzej Siewior wrote: > On 2016-11-15 00:16:14 [+0200], Adrian Bunk wrote: > > And since 80% of all OpenSSL-using packages in unstable are still > > using libssl1.0.2 (binNMUs have not yet happened), all runtime > > issues observed so far are

Re: OpenSSL 1.1.0

Jonathan Wiltshire writes ("Re: OpenSSL 1.1.0"): > On 2016-11-16 12:26, Ian Jackson wrote: > > If we are going to wind back on this change we should do it ASAP. We > > should not allow ourselves to make the decision to press on, simply by > > failing to decide o

Re: OpenSSL 1.1.0

Ian Jackson writes: > Reading that bug I think it's a shame that we didn't manage to > effectively identify the issues we've now discussed here on -devel > earlier, despite Kurt's several messages to d-d-a. Concerns were already raised in June, in the subthread

Re: OpenSSL 1.1.0

On Mon, Nov 14, 2016 at 03:37:00PM +0100, Adam Borowski wrote: > Another issue: 1.0.2 is a LTS, supported until 2019-12-31, while 1.1.0 a > short-lived release with upstream support only until 2018-08-31. Hmm... a different interpretation of these two data points: Stretch's EOL is projected for

Re: OpenSSL 1.1.0

On 2016-11-16 12:26, Ian Jackson wrote: In the absence of input from the openssl maintainers, I would like to ask the Release Team's opinion. If we are going to wind back on this change we should do it ASAP. We should not allow ourselves to make the decision to press on, simply by failing to

Re: OpenSSL 1.1.0

Ian Jackson writes ("Re: OpenSSL 1.1.0"): > Ian Jackson writes ("Re: OpenSSL 1.1.0"): > > Lots of people have posted in this thread that they see problems with > > our current approach to the openssl transition. > > > > Do the openssl maintainers h

Re: OpenSSL 1.1.0

Stephan Seitz wrote: > And there is still the problem that 1.1.0 is not supported as long as the > available LTS version. That's not a decisive factor, Debian security support has been extended over the upstream support time frame many times before. Cheers, Moritz

Re: OpenSSL 1.1.0

OpenSSL 1.1.0 in a secure way even is upstream may not be interested in patching the software for now then we can’t have version 1.1.0. And there is still the problem that 1.1.0 is not supported as long as the available LTS version. Many greetings, Stephan -- | Public Keys: http

Re: OpenSSL 1.1.0

On Nov 16, Pau Garcia i Quiles wrote: > * Some obscure feature (e. g. BlaBla20) may be missing or be difficult > to support on a limited number of packages (e. g. apache2) ChaCha20 is hardly obscure: if it is to you then I fear that your opinion on this issue is not

Re: OpenSSL 1.1.0

On Wed, Nov 16, 2016 at 1:58 PM, Pau Garcia i Quiles wrote: [...] > OpenSSL 1.0 only > = [...] > * Some obscure feature (e. g. BlaBla20) may be missing or be difficult > to support on a limited number of packages (e. g. apache2) [...] Sorry, it's ChaCha20, not

Re: OpenSSL 1.1.0

On Wed, Nov 16, 2016 at 1:26 PM, Ian Jackson wrote: > A maintainer should be ready to explain, and if necessary change, > decisions they have taken. (Ideally wider consultation before taking > such a decision would be better.) > > In the absence of input from

Re: OpenSSL 1.1.0

Ian Jackson writes ("Re: OpenSSL 1.1.0"): > Lots of people have posted in this thread that they see problems with > our current approach to the openssl transition. > > Do the openssl maintainers have an response ? I count the following people who expressed concern[1] about

Re: OpenSSL 1.1.0 / transition process

On 16/11/16 00:01, Sebastian Andrzej Siewior wrote: > On 2016-11-15 17:42:59 [+0100], Daniel Pocock wrote: >> Would the OpenSSL maintainers and/or release managers consider making a >> wiki page about the transition with the most common questions about it, >> similar to the upstream wiki but

Re: OpenSSL 1.1.0 / transition process

Quoting Sebastian Andrzej Siewior (2016-11-16 00:01:06) > On 2016-11-15 17:42:59 [+0100], Daniel Pocock wrote: > > Would the OpenSSL maintainers and/or release managers consider > > making a wiki page about the transition with the most common > > questions about it, similar to the upstream wiki

Re: OpenSSL 1.1.0

On 2016-11-15 00:16:14 [+0200], Adrian Bunk wrote: > And since 80% of all OpenSSL-using packages in unstable are still > using libssl1.0.2 (binNMUs have not yet happened), all runtime > issues observed so far are only the tip of the iceberg. > Bugs like "With Kurt's patch, apache2 crashes on

Re: OpenSSL 1.1.0 / transition process

On 2016-11-15 17:42:59 [+0100], Daniel Pocock wrote: > Would the OpenSSL maintainers and/or release managers consider making a > wiki page about the transition with the most common questions about it, > similar to the upstream wiki but with a Debian focus? I started one at

Re: OpenSSL 1.1.0 / transition process

On 15/11/16 16:54, Ian Jackson wrote: > Lots of people have posted in this thread that they see problems with > our current approach to the openssl transition. > > Do the openssl maintainers have an response ? I just started looking at this thread 2 minutes ago. I really don't know where to

Re: OpenSSL 1.1.0

Lots of people have posted in this thread that they see problems with our current approach to the openssl transition. Do the openssl maintainers have an response ? Thanks, Ian. -- Ian Jackson These opinions are my own. If I emailed you from an address

Re: OpenSSL 1.1.0

On Tue, Nov 15, 2016 at 07:03:28PM +1100, Scott Leggett wrote: > On 2016-11-15.00:16, Adrian Bunk wrote: > > Bugs like "With Kurt's patch, apache2 crashes on startup with an invalid > > free." > > or #843988 will be a common sight on the list of RC bugs for several > > months in any scenario

Re: OpenSSL 1.1.0

On Tue, Nov 15, 2016 at 09:37:01AM -0300, Lisandro Damián Nicanor Pérez Meyer wrote: > On lunes, 14 de noviembre de 2016 16:51:04 ART Marco d'Itri wrote: > > On Nov 14, Lisandro Damián Nicanor Pérez Meyer wrote: > > > And yes, I would step back and switch libssl-dev to

Re: OpenSSL 1.1.0

On Tue, Nov 15, 2016 at 10:43:07AM -0300, Lisandro Damián Nicanor Pérez Meyer wrote: > On lunes, 14 de noviembre de 2016 22:16:25 ART Jan Niehusmann wrote: > [snip] > > (It's fine if packages which depend on libssl-dev get an RC-bug if they > > can't be compiled with OpenSSL 1.1. Packages which

Re: OpenSSL 1.1.0

On martes, 15 de noviembre de 2016 14:52:15 ART Bernd Zeimetz wrote: > On 2016-11-15 14:43, Lisandro Damián Nicanor Pérez Meyer wrote: > > I *really* disagree with that. Swtiching libssl-dev to provide > > libssl1.1-dev > > means that some apps/libs will get automatically recompiled and some of >

Re: OpenSSL 1.1.0

On 2016-11-15 14:43, Lisandro Damián Nicanor Pérez Meyer wrote: I *really* disagree with that. Swtiching libssl-dev to provide libssl1.1-dev means that some apps/libs will get automatically recompiled and some of them might even not FTBFS (because for example, they are ready to use 1.1). If

Re: OpenSSL 1.1.0

On lunes, 14 de noviembre de 2016 22:16:25 ART Jan Niehusmann wrote: [snip] > (It's fine if packages which depend on libssl-dev get an RC-bug if they > can't be compiled with OpenSSL 1.1. Packages which can't be ported > should explicitly depend on libssl1.0-dev. That way we'll make progress >

Re: OpenSSL 1.1.0

On lunes, 14 de noviembre de 2016 16:51:04 ART Marco d'Itri wrote: > On Nov 14, Lisandro Damián Nicanor Pérez Meyer wrote: > > And yes, I would step back and switch libssl-dev to provide libssl1.0-dev > > and have libssl1.1-dev around for anyone who can really do the switch.

Re: OpenSSL 1.1.0

On 2016-11-15 11:59, Jonas Smedegaard wrote: 4. use libapache2-mod-gnutls? that might work for you, but its nothing the common debian user will do. -- Bernd ZeimetzDebian GNU/Linux Developer http://bzed.dehttp://www.debian.org

Re: OpenSSL 1.1.0

Quoting Adrian Bunk (2016-11-14 23:16:14) > On Mon, Nov 14, 2016 at 07:10:00PM +, Niels Thykier wrote: >> Marco d'Itri: >>> On Nov 14, Lisandro Damián Nicanor Pérez Meyer wrote: And yes, I would step back and switch libssl-dev to provide libssl1.0-dev and have

Re: OpenSSL 1.1.0

On 2016-11-15.00:16, Adrian Bunk wrote: > Bugs like "With Kurt's patch, apache2 crashes on startup with an invalid > free." > or #843988 will be a common sight on the list of RC bugs for several > months in any scenario with OpenSSL 1.1 as default. > > ... > > 2. move the stretch release

Re: OpenSSL 1.1.0

On Mon, Nov 14, 2016 at 07:10:00PM +, Niels Thykier wrote: > Marco d'Itri: > > On Nov 14, Lisandro Damián Nicanor Pérez Meyer wrote: > > > >> And yes, I would step back and switch libssl-dev to provide libssl1.0-dev > >> and > >> have libssl1.1-dev around for anyone

Re: OpenSSL 1.1.0

On Mon, Nov 14, 2016 at 10:45:50AM -0300, Lisandro Damián Nicanor Pérez Meyer wrote: > And yes, I would step back and switch libssl-dev to provide libssl1.0-dev and > have libssl1.1-dev around for anyone who can really do the switch. That's the only viable alternative I see. It looks like an

Re: OpenSSL 1.1.0

Niels Thykier: > Marco d'Itri: >> On Nov 14, Lisandro Damián Nicanor Pérez Meyer wrote: >> >>> And yes, I would step back and switch libssl-dev to provide libssl1.0-dev >>> and >>> have libssl1.1-dev around for anyone who can really do the switch. >> I would not: OpenSSL

Re: OpenSSL 1.1.0

Marco d'Itri: > On Nov 14, Lisandro Damián Nicanor Pérez Meyer wrote: > >> And yes, I would step back and switch libssl-dev to provide libssl1.0-dev >> and >> have libssl1.1-dev around for anyone who can really do the switch. > I would not: OpenSSL 1.0 does not support

Re: OpenSSL 1.1.0

There is a large number of packages currently build-depending on openssl 1.0 explicitly. Supporting dual-stack 1.0 & 1.1 openssl is a lot of work. In Ubuntu, I have reverted the 1.1 migration, and forced 1.0 to be used and provided by both libssl-dev & libssl1.0-dev packages. This was done after a

Re: OpenSSL 1.1.0

Ondřej Surý writes: > And this is happening all over places (apache2 vs php7.0) - I don't > think we can have a partial transition. It's now all or nothing. xml-security-c has not yet been ported to OpenSSL 1.1 upstream (which is non-trivial), and we're now at an impasse in the

Re: OpenSSL 1.1.0

On Nov 14, Lisandro Damián Nicanor Pérez Meyer wrote: > And yes, I would step back and switch libssl-dev to provide libssl1.0-dev and > have libssl1.1-dev around for anyone who can really do the switch. I would not: OpenSSL 1.0 does not support ChaCha20 so it would be a

Re: OpenSSL 1.1.0

On Mon, Nov 14, 2016 at 10:45:50AM -0300, Lisandro Damián Nicanor Pérez Meyer wrote: > On lunes, 14 de noviembre de 2016 13:26:44 ART Ondřej Surý wrote: > > And this is happening all over places (apache2 vs php7.0) - I don't > > think we can have a partial transition. It's now all or nothing. >

Re: OpenSSL 1.1.0

On lunes, 14 de noviembre de 2016 13:26:44 ART Ondřej Surý wrote: > And this is happening all over places (apache2 vs php7.0) - I don't > think we can have a partial transition. It's now all or nothing. I've said it before, I say it again: this transition should *not* have happened at this point

  1   2   >