On Fri, Nov 4, 2016 at 1:43 AM, Ian Jackson <ijack...@chiark.greenend.org.uk> wrote:
> I'm concerned that we are setting up a situation where: > > * A maintainer (or interested party) for a package which peripherally > uses openssl; > * Gets an RC bug report; > * Is threatened with autoremoval; > * Does not really know how to respond; > * Does not have useful support from their own upstream because > their own upstream hasn't got to grips with this yet; > * Feels under pressure that they must Fix It Now. > > This seems to be setting ourselves up for failures - particularly, > failures where the package compiles and seems to work, but has some > kind of problem in its use of openssl APIs which constitutes a > security problem. > [...] I fully agree and I have been stating that for months. In fact, yesterday I checked that my package witty now builds fine with OpenSSL 1.1.0 thanks to a new version of Boost. But I suspect there will be something wrong on runtime because witty does link to Qt4, which as Lisandro said recently, does not support OpenSSL 1.1.0. It may fail on runtime. As I requested a few days ago, please delay making OpenSSL 1.1.0 the default for 1 year (and even then, we should be checking the case where something links directly to one version of OpenSSL, and also links to something that dlopen's some other version of OpenSSL). Thank you -- Pau Garcia i Quiles http://www.elpauer.org