Sam Hartman:
> My understanding of the current plan is that we're adding openssl 1.1.0
> to unstable, but will make a decision about whether to drop libssl1.0.2
> later.
> That's really frustrating for the rest of the ecosystem--our users and
> our upstreams, and I'd ask the release team to commit now to 1.0.2 being
> available for stretch.
> [...]
> Debian matters in the larger ecosystems, and we owe it to our upstreams
> and our users to decide now whether we're asking people to make those
> sort of mad scrambles.
> I think we should not.  Regardless, decisions now matter.
> Thanks for your consideration,
> --Sam

Hi Sam,

openssl/1.0.2 will remaining in stretch and will be available to the
subset of packages that are infeasible to port to openssl/1.1 in time
for stretch.  All parties promoting ssl1.1 as default for stretch assume
that there will be packages left requiring ssl1.0.2.

We still urge people to support openssl/1.1 where it is feasible and
reasonable to port their packages.  openssl/1.0.2 is in the low/old end
of "modern cryptography" and the openssl maintainers are not willing to
deviate from upstream supported features on that aspect.


Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to