Re: OpenSSL 1.1.0 / transition process
On 16/11/16 00:01, Sebastian Andrzej Siewior wrote: > On 2016-11-15 17:42:59 [+0100], Daniel Pocock wrote: >> Would the OpenSSL maintainers and/or release managers consider making a >> wiki page about the transition with the most common questions about it, >> similar to the upstream wiki but with a Debian focus? > > I started one at > https://wiki.debian.org/OpenSSL-1.1 > Great, thanks for doing that, I dropped in a couple of additional questions (testing upstream builds with travis-ci, testing on jessie)
Re: OpenSSL 1.1.0 / transition process
Quoting Sebastian Andrzej Siewior (2016-11-16 00:01:06) > On 2016-11-15 17:42:59 [+0100], Daniel Pocock wrote: > > Would the OpenSSL maintainers and/or release managers consider > > making a wiki page about the transition with the most common > > questions about it, similar to the upstream wiki but with a Debian > > focus? > > I started one at > https://wiki.debian.org/OpenSSL-1.1 Great! > > The questions which come to my mind (and may already be answered): > > > > - will it definitely go ahead for stretch? > > > > - will the stretch freeze and release dates be delayed to allow > > people to catch up? > > > > - is it expected that package maintainers spend time patching for > > this, or we can wait for upstreams to support it? [...] > - BTS user tags bugs. All bugs reported by Kurt and myself were user > tagged. - will those user-tagged bugs properly track all related issues too? As an example, Bug#828590 for uwsgi is currently being addressed. When I can hopefully upload that package tomorrow, the package evidently no longer fails to build from source and the FTBFS bug can therefore be closed. But at the same time other bugs - less severe, but directly caused by the conflicting libssl libraries - will emerge¹. I can try to treat such collateral issues as related - e.g. by cloning and adapting, and/or by keeping open the original bug and renaming it, and maybe by user-tagging (if someone documents what tagging is suitable - I sure don't want to make things worse by sloppy bug tagging). But it seems to me that there is a real risk that some of the bugs tracked in above wiki page may miss out on some similar collateral problems in other packages. - Jonas ¹ uwsgi build-depends not only on libssl-dev, but also libapache-dev, php-dev and libcurl4-openssl-dev now linking against conflicting libssl*-dev packages. -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private
Re: OpenSSL 1.1.0 / transition process
On 2016-11-15 17:42:59 [+0100], Daniel Pocock wrote: > Would the OpenSSL maintainers and/or release managers consider making a > wiki page about the transition with the most common questions about it, > similar to the upstream wiki but with a Debian focus? I started one at https://wiki.debian.org/OpenSSL-1.1 > The questions which come to my mind (and may already be answered): > > - will it definitely go ahead for stretch? > > - will the stretch freeze and release dates be delayed to allow people > to catch up? > > - is it expected that package maintainers spend time patching for this, > or we can wait for upstreams to support it? I can't answer those. I just copied them into the Wiki hoping someone will. > - given the huge number of packages listed on the transition page, I > couldn't help feeling that it would be useful to be able to get some > reports about how many packages have now had a bug forwarded upstream, > how many upstreams have released a newer version with the fix, how many > upstreams have a fix that is not released, etc I added to the wiki a few links: - my ben page. Similar to release team's page but it shows which package moved to 1.0 and which more towards 1.1. (updated ~17.15 UTC). - BTS user tags bugs. All bugs reported by Kurt and myself were user tagged. > Regards, > > Daniel Sebastian
Re: OpenSSL 1.1.0 / transition process
On 15/11/16 16:54, Ian Jackson wrote: > Lots of people have posted in this thread that they see problems with > our current approach to the openssl transition. > > Do the openssl maintainers have an response ? I just started looking at this thread 2 minutes ago. I really don't know where to start. Would the OpenSSL maintainers and/or release managers consider making a wiki page about the transition with the most common questions about it, similar to the upstream wiki but with a Debian focus? The questions which come to my mind (and may already be answered): - will it definitely go ahead for stretch? - will the stretch freeze and release dates be delayed to allow people to catch up? - is it expected that package maintainers spend time patching for this, or we can wait for upstreams to support it? - given the huge number of packages listed on the transition page, I couldn't help feeling that it would be useful to be able to get some reports about how many packages have now had a bug forwarded upstream, how many upstreams have released a newer version with the fix, how many upstreams have a fix that is not released, etc Wearing my upstream hat, I do hope to ensure my own packages support it sooner rather than later. Some of them will go into NEW though because they have ABI or API version numbers in the binary package names, so they won't be available immediately. Regards, Daniel
