On Mon, 15 Feb 2016 18:59:46 +0000 "Adam D. Barratt" < a...@adam-barratt.org.uk> wrote: > On Mon, 2016-02-15 at 19:46 +0100, Christian Beer wrote: > > Hi, > > > > there are more people reporting that they are directly affected by a bug > > in the Debian Jessie openssl package where it doesn't check an > > alternative certificate chain (which is fixed in the latest upstream 1.0.1). > [...] > > Right now the combination of openssl and ca-certificates in Debian > > Jessie is not working for a lot of websites (that they themselves can't > > fix). I understand the hesitation to upgrade openssl but I would like to > > return to a working Jessie rather than use an obviously broken one. > > If it's that broken, then it should be fixed anyway, regardless of any > decision of whether or not to accept full upstream releases in to > Jessie. > > Regards, > > Adam
As a long-time Debian user who is indirectly affected by this issue, I'd like to see Debian simply adopt the upstream 1.0.2 releases instead of trying to maintain a messy fork that contains a mix of 1.0.1 and backported 1.0.2 changes. Staying as close as possible to upstream benefits Debian by using releases that have been reviewed and tested by both upstream and also other OpenSSL users. Every change backported onto Debian's stable version of OpenSSL also carries the risk of creating a new security vulnerability unique to Debian, and staying close to upstream minimizes this. Although upstream could introduce bugs in their new releases, the same is equally true when Debian makes its own releases from backported changes. Some upstreams do not make releases that are suitable for reuse as SRUs, so I think this kind of policy may need to be decided on a case by case basis. In the case of OpenSSL, it' a mature, widely used package whose releases consist mostly of security updates anyway, and they've also promised not to break binary compatibility between last-digit releases like 1.0.1 and 1.0.2.[1] There seems to be little justification for the risk and significant effort required to maintain a fork that sits in between 1.0.1 and 1.0.2, and I think that if new upstream releases do introduce problems, Debian is better off working directly with upstream than trying to do its own completely separate OpenSSL development. Also, my own testing seems to show that the certificate chain issue is still present in the latest 1.0.1 release (as I commented on 813468), so adopting the latest 1.0.2 release seems like the only reasonable alternative. [1] https://www.openssl.org/policies/releasestrat.html
