On 2023-05-15 05:18, Adrien Nader wrote:
Hello,
Ubuntu currently ships openssl 3.0. Debian will release with 3.0.
Debian experimental contains 3.1. Openssl 3.1 has been out for a couple
months. It seemed natural to switch to 3.1 which contains a number of
interesting changes including fixes for performance regressions except
that...
Quoting https://www.openssl.org/policies/releasestrat.html :
- Version 3.1 will be supported until 2025-03-14
- Version 3.0 will be supported until 2026-09-07 (LTS).
The support for 3.1 spans two years while the support for 3.0 spans 5
years since it's an LTS.
If the openssl teams keeps the same cadence (I love extrapolating with
only two data points, it's much simpler), then 3.2 could be released
September 2024 and it could be just in time to be included in 24.10 but
obviously not 24.04. There's also no indication at the moment that 3.2
would be an LTS release. As for 3.3, it would be released March 2026 and
that would still be early enough to make it the next LTS.
As I said, these dates are extrapolation based on the 3.0 to 3.1 release
and I haven't seen communication from the openssl team about their
roadmap besides that they had to remove it at some point because it
needed more work. It's seems unlikely that the result of "more work" is
as simple as "release every 18 months".
In any case, it seems unlikely that 3.2 is released in time for 24.04
feature freeze AND is an LTS. I'm going to raise this topic on the
openssl issue tracker but I wanted to begin the discussion here since
the same issue is likely to pop again in the future.
In short:
In 24.04, do we want to include a release of openssl that will be
supported for "at least two years", possibly starting a year before our
release, or do we want to include a release that will be supported for
"at least five years", possibly starting two years before our release.
I'd rather we stick with an OpenSSL LTS release, as that is possibly what others
distros will be using and we will be able to collaborate on fixes once the
upstream support goes away.
Bonus questions:
What do we do when the support on the openssl side ends but there's
three more years of support for our LTS releases?
We do like we do for all the other packages in our archive, we backport patches
to the unsupported version. (And we support our LTS releases for a minimum of 10
years now...)
In case we SRU newer versions of openssl, will we attempt to maintain
the same behaviour? (I wanted to ask that question but the answer is
probably not a yes/no: a best-effort policy might make more sense)
We don't SRU newer versions of OpenSSL. The attempts we've made in the past to
SRU a minor point release resulted in hundreds of fixes required all over the
archive and caused regressions for users. Backporting security fixes and
specific bug fixes is the best approach.
Marc.
--
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
