Re: OpenSSL 1.1.0 / transition process

2016-11-15 Thread Daniel Pocock


On 16/11/16 00:01, Sebastian Andrzej Siewior wrote:
> On 2016-11-15 17:42:59 [+0100], Daniel Pocock wrote:
>> Would the OpenSSL maintainers and/or release managers consider making a
>> wiki page about the transition with the most common questions about it,
>> similar to the upstream wiki but with a Debian focus?
> 
> I started one at
>   https://wiki.debian.org/OpenSSL-1.1
> 

Great, thanks for doing that, I dropped in a couple of additional
questions (testing upstream builds with travis-ci, testing on jessie)



Re: OpenSSL 1.1.0 / transition process

2016-11-15 Thread Jonas Smedegaard
Quoting Sebastian Andrzej Siewior (2016-11-16 00:01:06)
> On 2016-11-15 17:42:59 [+0100], Daniel Pocock wrote:
> > Would the OpenSSL maintainers and/or release managers consider 
> > making a wiki page about the transition with the most common 
> > questions about it, similar to the upstream wiki but with a Debian 
> > focus?
> 
> I started one at
> https://wiki.debian.org/OpenSSL-1.1

Great!


> > The questions which come to my mind (and may already be answered):
> > 
> > - will it definitely go ahead for stretch?
> > 
> > - will the stretch freeze and release dates be delayed to allow 
> > people to catch up?
> > 
> > - is it expected that package maintainers spend time patching for 
> > this, or we can wait for upstreams to support it?
[...]
> - BTS user tags bugs. All bugs reported by Kurt and myself were user
>   tagged.

 - will those user-tagged bugs properly track all related issues too?

As an example, Bug#828590 for uwsgi is currently being addressed.  When 
I can hopefully upload that package tomorrow, the package evidently no 
longer fails to build from source and the FTBFS bug can therefore be 
closed.  But at the same time other bugs - less severe, but directly 
caused by the conflicting libssl libraries - will emerge¹.  I can try to 
treat such collateral issues as related - e.g. by cloning and adapting, 
and/or by keeping open the original bug and renaming it, and maybe by 
user-tagging (if someone documents what tagging is suitable - I sure 
don't want to make things worse by sloppy bug tagging).  But it seems to 
me that there is a real risk that some of the bugs tracked in above wiki 
page may miss out on some similar collateral problems in other packages.

 - Jonas

¹ uwsgi build-depends not only on libssl-dev, but also libapache-dev, 
php-dev and libcurl4-openssl-dev now linking against conflicting 
libssl*-dev packages.

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private



Re: OpenSSL 1.1.0 / transition process

2016-11-15 Thread Sebastian Andrzej Siewior
On 2016-11-15 17:42:59 [+0100], Daniel Pocock wrote:
> Would the OpenSSL maintainers and/or release managers consider making a
> wiki page about the transition with the most common questions about it,
> similar to the upstream wiki but with a Debian focus?

I started one at
https://wiki.debian.org/OpenSSL-1.1

> The questions which come to my mind (and may already be answered):
> 
> - will it definitely go ahead for stretch?
> 
> - will the stretch freeze and release dates be delayed to allow people
> to catch up?
> 
> - is it expected that package maintainers spend time patching for this,
> or we can wait for upstreams to support it?

I can't answer those. I just copied them into the Wiki hoping someone
will.

> - given the huge number of packages listed on the transition page, I
> couldn't help feeling that it would be useful to be able to get some
> reports about how many packages have now had a bug forwarded upstream,
> how many upstreams have released a newer version with the fix, how many
> upstreams have a fix that is not released, etc

I added to the wiki a few links:
- my ben page. Similar to release team's page but it shows which package
  moved to 1.0 and which more towards 1.1. (updated ~17.15 UTC).

- BTS user tags bugs. All bugs reported by Kurt and myself were user
  tagged.

> Regards,
> 
> Daniel

Sebastian



Re: OpenSSL 1.1.0 / transition process

2016-11-15 Thread Daniel Pocock
On 15/11/16 16:54, Ian Jackson wrote:
> Lots of people have posted in this thread that they see problems with
> our current approach to the openssl transition.
>
> Do the openssl maintainers have an response ?

I just started looking at this thread 2 minutes ago.  I really don't
know where to start.

Would the OpenSSL maintainers and/or release managers consider making a
wiki page about the transition with the most common questions about it,
similar to the upstream wiki but with a Debian focus?

The questions which come to my mind (and may already be answered):

- will it definitely go ahead for stretch?

- will the stretch freeze and release dates be delayed to allow people
to catch up?

- is it expected that package maintainers spend time patching for this,
or we can wait for upstreams to support it?

- given the huge number of packages listed on the transition page, I
couldn't help feeling that it would be useful to be able to get some
reports about how many packages have now had a bug forwarded upstream,
how many upstreams have released a newer version with the fix, how many
upstreams have a fix that is not released, etc

Wearing my upstream hat, I do hope to ensure my own packages support it
sooner rather than later.  Some of them will go into NEW though because
they have ABI or API version numbers in the binary package names, so
they won't be available immediately.

Regards,

Daniel