On 12:07 Wed 09 Nov , Willy Tarreau wrote: > On Wed, Nov 09, 2016 at 11:44:41AM +0200, Apollon Oikonomopoulos wrote: > > Thanks for this. Is it too much of a hassle to ask for a 1.6 backport? > > Given that it breaks support for older versions (0.9.8 at least), for > now it's out of question. And it has received only limited testing. If > we manage to stabilise the patch to properly handle all versions where > 1.6 currently works, then maybe the question could be reconsidered.
Agreed, thanks for the clarification. > > > We currently have a release-critical bug in Debian for OpenSSL 1.1 > > compatibility[1], so it would greatly help us. I could go ahead and try > > to make a backport myself, however I admit I'm a bit reluctant to touch > > OpenSSL-related code at this point. > > You should definitely avoid it, the testing is insufficient for now. > > Another, better option would be to upgrade the haproxy package to 1.7 for > the next debian release so that it matches the new openssl version as well. > There are (too) few changes in 1.7 compared to 1.6, it mostly accumulated > all the fixes that resulted from the bugs coming with the new architecture > brought in 1.6. I consider 1.7 almost as stable as 1.6, and will encourage > users to upgrade. I don't know how much time left you have to decide on a > version for a new distro (I don't know the process at all). Let's say that we must have settled with a stable-enough version by early December. Is there a chance there will be a final 1.7 release by then? Regards, Apollon