Processed: Re: Bug#720426: pu: package openssl/1.0.1e-2
Processing control commands: tags -1 + pending Bug #720426 [release.debian.org] pu: package openssl/1.0.1e-2 Added tag(s) pending. -- 720426: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=720426 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/handler.s.b720426.139134811522101.transcr...@bugs.debian.org
Bug#720426: pu: package openssl/1.0.1e-2
Control: tags -1 + pending On Thu, 2014-01-30 at 21:52 +, Adam D. Barratt wrote: On Thu, 2014-01-30 at 22:27 +0100, Kurt Roeckx wrote: On Thu, Jan 30, 2014 at 08:09:44PM +, Adam D. Barratt wrote: On Mon, 2013-09-23 at 09:05 +0200, Kurt Roeckx wrote: On Mon, Sep 23, 2013 at 05:35:23AM +0200, Cyril Brulebois wrote: Kurt Roeckx k...@roeckx.be (2013-08-21): [...] * Enable assembler for the arm targets, and remove armeb. Patch by Riku Voipio riku.voi...@iki.fi (Closes: #676533) * enable ec_nistp_64_gcc_128 on *-amd64 (Closes: #698447) [...] The changes have obviously had significant testing in unstable and testing by now; have any further related changes been required? Have the changes had any testing in a stable environment? There have no changes related to it. I'm also pretty sure that people actually do use that in production. Okay. Please go ahead, bearing in mind that p-u freeze for 7.4 is this coming weekend. Flagged for acceptance. Regards, Adam -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1391348104.19824.39.ca...@jacala.jungle.funky-badger.org
Bug#720426: pu: package openssl/1.0.1e-2
On Mon, 2013-09-23 at 09:05 +0200, Kurt Roeckx wrote: On Mon, Sep 23, 2013 at 05:35:23AM +0200, Cyril Brulebois wrote: Kurt Roeckx k...@roeckx.be (2013-08-21): * Add Polish translation (Closes: #658162) * Add Turkish translation (Closes: #660971) * Enable assembler for the arm targets, and remove armeb. Patch by Riku Voipio riku.voi...@iki.fi (Closes: #676533) * enable ec_nistp_64_gcc_128 on *-amd64 (Closes: #698447) I'm sorry but I don't think wishlist bug reports qualify for stable uploads. As usual, we could use more consistency across documentation, but either devref[1] or p-u[2] pages give an overview of what can be considered. I actually consider the arm assembler and nistp curves to be important, even if the bugs might only be filed at severity level wishlist. The nistp curves are even security related since they are then implemented with constant time removing a side channel attack. I have to agree with Cyril here that the bug really shouldn't have such a low severity if it has genuine security impact. The changes have obviously had significant testing in unstable and testing by now; have any further related changes been required? Have the changes had any testing in a stable environment? Regards, Adam -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1391112584.13045.28.ca...@jacala.jungle.funky-badger.org
Bug#720426: pu: package openssl/1.0.1e-2
On Thu, Jan 30, 2014 at 08:09:44PM +, Adam D. Barratt wrote: On Mon, 2013-09-23 at 09:05 +0200, Kurt Roeckx wrote: On Mon, Sep 23, 2013 at 05:35:23AM +0200, Cyril Brulebois wrote: Kurt Roeckx k...@roeckx.be (2013-08-21): * Add Polish translation (Closes: #658162) * Add Turkish translation (Closes: #660971) * Enable assembler for the arm targets, and remove armeb. Patch by Riku Voipio riku.voi...@iki.fi (Closes: #676533) * enable ec_nistp_64_gcc_128 on *-amd64 (Closes: #698447) I'm sorry but I don't think wishlist bug reports qualify for stable uploads. As usual, we could use more consistency across documentation, but either devref[1] or p-u[2] pages give an overview of what can be considered. I actually consider the arm assembler and nistp curves to be important, even if the bugs might only be filed at severity level wishlist. The nistp curves are even security related since they are then implemented with constant time removing a side channel attack. I have to agree with Cyril here that the bug really shouldn't have such a low severity if it has genuine security impact. If it makes you happy, I can mark the security related bugs serious. I'm also of the opinion that the severity wishlist doesn't say anything about the importance. The changes have obviously had significant testing in unstable and testing by now; have any further related changes been required? Have the changes had any testing in a stable environment? There have no changes related to it. I'm also pretty sure that people actually do use that in production. Kurt -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140130212753.ga25...@roeckx.be
Bug#720426: pu: package openssl/1.0.1e-2
Control: tags -1 + confirmed On Thu, 2014-01-30 at 22:27 +0100, Kurt Roeckx wrote: On Thu, Jan 30, 2014 at 08:09:44PM +, Adam D. Barratt wrote: On Mon, 2013-09-23 at 09:05 +0200, Kurt Roeckx wrote: On Mon, Sep 23, 2013 at 05:35:23AM +0200, Cyril Brulebois wrote: Kurt Roeckx k...@roeckx.be (2013-08-21): [...] * Enable assembler for the arm targets, and remove armeb. Patch by Riku Voipio riku.voi...@iki.fi (Closes: #676533) * enable ec_nistp_64_gcc_128 on *-amd64 (Closes: #698447) [...] The changes have obviously had significant testing in unstable and testing by now; have any further related changes been required? Have the changes had any testing in a stable environment? There have no changes related to it. I'm also pretty sure that people actually do use that in production. Okay. Please go ahead, bearing in mind that p-u freeze for 7.4 is this coming weekend. Regards, Adam -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1391118752.13045.39.ca...@jacala.jungle.funky-badger.org
Processed: Re: Bug#720426: pu: package openssl/1.0.1e-2
Processing control commands: tags -1 + confirmed Bug #720426 [release.debian.org] pu: package openssl/1.0.1e-2 Added tag(s) confirmed. -- 720426: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=720426 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/handler.s.b720426.13911187627353.transcr...@bugs.debian.org
Bug#720426: pu: package openssl/1.0.1e-2
On Sat, Dec 14, 2013 at 03:34:03PM +0100, Kurt Roeckx wrote:
I wouldn't bother trying to get those to stable if I didn't think
they were important.
So can someone please do something about this request?
Ping?
This bug is now almost open for 5 months. There are basicly 2
very easy changes:
1) Add enable-ec_nistp_64_gcc_128 to Configure on *-amd64
This makes the nistp curves used in for instance ECDHE costant
time. Being costant time is important for security since it
avoid side channel timing attacks. Those allow you to recover
the private key based on the timing of the response.
2) Enable assembler on arm. That is replace ${no_asm} with
${armv4_asm}.
This improves the performace on arm.
Both those changes have been very well tested and are in unstable
and testing for almost 8 months.
In the mean time there has been a new upstream release containing
important bug fixes. You can argue about some of the changes
upstream made in the stable branch, but they consider those
changes to be impotant enough to put it in the stable branch.
One of the changes is to stop putting a timestamp in server/client
hello and instead put something random there like it's supposed to
be, which breaks tlsdate.
I would like to get a lot of those changes, in the order
of 20 or 30 patches, in stable. But I would actually prefer to
just get the new upstream version in stable instead.
Kurt
--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20140112143646.ga18...@roeckx.be
Bug#720426: pu: package openssl/1.0.1e-2
On Sat, Dec 14, 2013 at 03:34:03PM +0100, Kurt Roeckx wrote: So can someone please do something about this request? Ping? I'll be makeing an upload to either stable-security or stable soon. If you do not want this speak up now. Kurt -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131220182026.ga17...@roeckx.be
Bug#720426: pu: package openssl/1.0.1e-2
On Thu, Nov 21, 2013 at 09:35:20PM +0100, Kurt Roeckx wrote: On Mon, Sep 30, 2013 at 07:06:33PM +0200, Kurt Roeckx wrote: On Mon, Sep 30, 2013 at 01:46:41AM +0200, Cyril Brulebois wrote: Control: tag -1 moreinfo Kurt Roeckx k...@roeckx.be (2013-09-23): I actually consider the arm assembler and nistp curves to be important, even if the bugs might only be filed at severity level wishlist. The nistp curves are even security related since they are then implemented with constant time removing a side channel attack. Then the BTS should know, and/or you should have mentioned it in your pu request. I wouldn't bother trying to get those to stable if I didn't think they were important. So can someone please do something about this request? Ping? Kurt -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131214143403.ga20...@roeckx.be
Bug#720426: pu: package openssl/1.0.1e-2
On Mon, Sep 30, 2013 at 07:06:33PM +0200, Kurt Roeckx wrote: On Mon, Sep 30, 2013 at 01:46:41AM +0200, Cyril Brulebois wrote: Control: tag -1 moreinfo Kurt Roeckx k...@roeckx.be (2013-09-23): I actually consider the arm assembler and nistp curves to be important, even if the bugs might only be filed at severity level wishlist. The nistp curves are even security related since they are then implemented with constant time removing a side channel attack. Then the BTS should know, and/or you should have mentioned it in your pu request. I wouldn't bother trying to get those to stable if I didn't think they were important. So can someone please do something about this request? Kurt -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131121203520.ga31...@roeckx.be
Bug#720426: pu: package openssl/1.0.1e-2
On Mon, Sep 30, 2013 at 01:46:41AM +0200, Cyril Brulebois wrote:
Control: tag -1 moreinfo
Kurt Roeckx k...@roeckx.be (2013-09-23):
I actually consider the arm assembler and nistp curves to be
important, even if the bugs might only be filed at severity
level wishlist. The nistp curves are even security related
since they are then implemented with constant time removing
a side channel attack.
Then the BTS should know, and/or you should have mentioned it in your
pu request.
I wouldn't bother trying to get those to stable if I didn't think
they were important.
You also didn't attach the source debdiff we should be
considering, and a manual debdiff between -2 and -3 shows unrelated
things.
For #698447 it's this part:
--- openssl-1.0.1e/debian/rules 2013-03-10 21:54:40.0 +0100
+++ openssl-1.0.1e/debian/rules 2013-05-20 17:06:14.0 +0200
@@ -26,6 +27,10 @@
OPTS = $($(ARCHOPTS))
WANTED_LIBC_VERSION = 2.3.1-10
+ifeq ($(DEB_HOST_ARCH_CPU), amd64)
+ CONFARGS += enable-ec_nistp_64_gcc_128
+endif
+
build: build-arch build-indep
build-arch: build-stamp
build-indep: build-stamp
For #676533 it's this part:
openssl-1.0.1.orig/Configure 2012-03-17 15:37:54.0 +
-+++ openssl-1.0.1/Configure2012-03-17 16:13:49.0 +
+--- openssl-1.0.1e.orig/Configure 2013-05-20 16:54:11.0 +0200
openssl-1.0.1e/Configure 2013-05-20 16:54:11.0 +0200
@@ -105,6 +105,10 @@
my $gcc_devteam_warn = -Wall -pedantic -DPEDANTIC -Wno-long-long
-Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Werror
-DCRYPTO_MDEBUG_ALL -DCRYPTO_MDEBUG_ABORT -DREF_CHECK -DOPENSSL_NO_DEPRECATED;
@@ -13,7 +13,7 @@
my $strict_warnings = 0;
my $x86_gcc_des=DES_PTR DES_RISC1 DES_UNROLL;
-@@ -338,6 +342,48 @@
+@@ -340,6 +344,48 @@
osf1-alpha-cc, cc:-std1 -tune host -O4
-readonly_strings::(unknown):::SIXTY_FOUR_BIT_LONG
RC4_CHUNK:${alpha_asm}:dlfcn:alpha-osf1-shared:::.so,
tru64-alpha-cc, cc:-std1 -tune host -fast
-readonly_strings::-pthread:::SIXTY_FOUR_BIT_LONG
RC4_CHUNK:${alpha_asm}:dlfcn:alpha-osf1-shared::-msym:.so,
@@ -21,9 +21,8 @@
+debian-alpha,gcc:-DTERMIO
${debian_cflags}::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1
DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR),
+debian-alpha-ev4,gcc:-DTERMIO ${debian_cflags}
-mcpu=ev4::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1
DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR),
+debian-alpha-ev5,gcc:-DTERMIO ${debian_cflags}
-mcpu=ev5::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1
DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR),
-+debian-armeb,gcc:-DB_ENDIAN -DTERMIO
${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT
DES_UNROLL
BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR),
-+debian-armel,gcc:-DL_ENDIAN -DTERMIO
${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT
DES_UNROLL
BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR),
-+debian-armhf,gcc:-DL_ENDIAN -DTERMIO
${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT
DES_UNROLL
BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR),
++debian-armel,gcc:-DL_ENDIAN -DTERMIO
${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT
DES_UNROLL
BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR),
++debian-armhf,gcc:-DL_ENDIAN -DTERMIO
${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT
DES_UNROLL
BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR),
+debian-amd64, gcc:-m64 -DL_ENDIAN -DTERMIO ${debian_cflags}
-DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT
DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::,
+debian-avr32, gcc:-DB_ENDIAN -DTERMIO ${debian_cflags}
-fomit-frame-pointer::-D_REENTRANT::-ldl:BN_LLONG_BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR),
+debian-kfreebsd-amd64,gcc:-m64 -DL_ENDIAN -DTERMIOS ${debian_cflags}
-DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT
DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR),
@@ -58,6 +57,7 @@
+debian-sparc-v8,gcc:-DB_ENDIAN -DTERMIO ${debian_cflags} -mcpu=v8
-DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL
BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR),
+debian-sparc-v9,gcc:-DB_ENDIAN -DTERMIO ${debian_cflags} -mcpu=v9
-Wa,-Av8plus -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR
RC4_CHUNK DES_UNROLL
BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR),
+debian-sparc64,gcc:-m64 -DB_ENDIAN
Processed: Re: Bug#720426: pu: package openssl/1.0.1e-2
Processing control commands: tag -1 moreinfo Bug #720426 [release.debian.org] pu: package openssl/1.0.1e-2 Added tag(s) moreinfo. -- 720426: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=720426 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/handler.s.b720426.138049839927995.transcr...@bugs.debian.org
Bug#720426: pu: package openssl/1.0.1e-2
Control: tag -1 moreinfo Kurt Roeckx k...@roeckx.be (2013-09-23): I actually consider the arm assembler and nistp curves to be important, even if the bugs might only be filed at severity level wishlist. The nistp curves are even security related since they are then implemented with constant time removing a side channel attack. Then the BTS should know, and/or you should have mentioned it in your pu request. You also didn't attach the source debdiff we should be considering, and a manual debdiff between -2 and -3 shows unrelated things. Mraw, KiBi. signature.asc Description: Digital signature
Bug#720426: pu: package openssl/1.0.1e-2
On Mon, Sep 23, 2013 at 05:35:23AM +0200, Cyril Brulebois wrote: Hi Kurt, Kurt Roeckx k...@roeckx.be (2013-08-21): Package: release.debian.org User: release.debian@packages.debian.org Usertags: pu Severity: normal Hi, I would like to move some of the changes in openssl 1.0.1e-3 to stable. The changes between -2 and -3 that I would like to move to stable are: * Add Polish translation (Closes: #658162) * Add Turkish translation (Closes: #660971) * Enable assembler for the arm targets, and remove armeb. Patch by Riku Voipio riku.voi...@iki.fi (Closes: #676533) * enable ec_nistp_64_gcc_128 on *-amd64 (Closes: #698447) I'm sorry but I don't think wishlist bug reports qualify for stable uploads. As usual, we could use more consistency across documentation, but either devref[1] or p-u[2] pages give an overview of what can be considered. I actually consider the arm assembler and nistp curves to be important, even if the bugs might only be filed at severity level wishlist. The nistp curves are even security related since they are then implemented with constant time removing a side channel attack. Kurt -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130923070556.ga32...@roeckx.be
Bug#720426: pu: package openssl/1.0.1e-2
Hi Kurt, Kurt Roeckx k...@roeckx.be (2013-08-21): Package: release.debian.org User: release.debian@packages.debian.org Usertags: pu Severity: normal Hi, I would like to move some of the changes in openssl 1.0.1e-3 to stable. The changes between -2 and -3 that I would like to move to stable are: * Add Polish translation (Closes: #658162) * Add Turkish translation (Closes: #660971) * Enable assembler for the arm targets, and remove armeb. Patch by Riku Voipio riku.voi...@iki.fi (Closes: #676533) * enable ec_nistp_64_gcc_128 on *-amd64 (Closes: #698447) I'm sorry but I don't think wishlist bug reports qualify for stable uploads. As usual, we could use more consistency across documentation, but either devref[1] or p-u[2] pages give an overview of what can be considered. 1. http://www.debian.org/doc/manuals/developers-reference/pkgs.html#upload-stable 2. http://www.debian.org/releases/proposed-updates.html I'll wait for a second opinion before closing this pu request though. Mraw, KiBi. signature.asc Description: Digital signature
Bug#720426: pu: package openssl/1.0.1e-2
Package: release.debian.org User: release.debian@packages.debian.org Usertags: pu Severity: normal Hi, I would like to move some of the changes in openssl 1.0.1e-3 to stable. The changes between -2 and -3 that I would like to move to stable are: * Add Polish translation (Closes: #658162) * Add Turkish translation (Closes: #660971) * Enable assembler for the arm targets, and remove armeb. Patch by Riku Voipio riku.voi...@iki.fi (Closes: #676533) * enable ec_nistp_64_gcc_128 on *-amd64 (Closes: #698447) Kurt -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130821173559.ga9...@roeckx.be
