Dear team,
It would be nice if there was a user- and security-friendly best
practice document for distributions (such as Linux distributions) that
freeze on an OpenSSL release version (such as 1.1.1z) and then backport
any important fixes.
Perhaps something like the following:
1. The distributor shall seek to backport as many upstream security
fixes as possible and shall sign up to receive advance confidential
copies of such code changes to attempt a coordinated release at the same
time as the upstream release.
1.1. The version number frozen on should be from the upstream branch
with the latest upstream maintenance end date available at the time of
freezing the version.
2. Any such backport-patched version (as source, library, shared
library, and/or openssl binary shall be provided with a document named:
README.fixes with distribution appropriate extension for such files
(like .txt or .gz)) listing the following:
2.1 The version number of the most recent upstream release version
considered at the time of last document update.
2.2 The version number of the upstream release version chosen as the
frozen base, and the date when that choice was made.
2.3 The current differences from that most recent upstream release
version, specifying any upstream security advisories and public CVEs not
completely fixed, but still listing any and all non-security
enhancements not included.
2.4 The current differences from the named frozen base version, with any
net changes back and forth cancelled out (thus not a changelog). Any
change fixing a security issue shall list the upstream security advisory
and public CVE.
2.5. The distribution maintainers that did the backporting and writing
of the document, and (if different) the contact point for reporting
issues/bugs in the backport work.
3. The README.fixes document should, if possible, be made available to
the upstream project
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
