Choice of the openssl version for 23.10 and 24.04
Robie Basak
robie.basak at ubuntu.com
Mon Dec 11 10:38:14 UTC 2023
On Mon, Dec 04, 2023 at 10:28:02AM +0100, Adrien Nader wrote:
> We talked about creating a new "openssl" package that is whatever the
> most recent version is (in universe, and probably with no ESM-guarantee
> attached somehow). This might need a bit of fiddling with packaging
> though and in any case, I've had absolutely no time to do that so far.
Please note that this would be problematic for a number of reasons.
If there's something more recent, then users start using it because it's
more recent. Then they are surprised when they find that it has security
caveats. This just leads to disappointment and frustration all round.
We had this situation with MySQL in an LTS release many years ago, and
my conclusion following that was that we should never do it again.
For this reason, I think it's unacceptable to concurrently ship
something newer in a given Ubuntu release unless it comes with all the
same quality commitments we make for the older version.
> no ESM-guarantee attached somehow
I don't speak for Canonical here, but also seems unworkable because how
would we describe ESM then?
ESM*
* except for packages X, Y and Z
If you want to "ship" something like this, best be honest about it and
put it in a PPA IMHO. Then it'd be clear to users that it comes with
no/reduced quality commitments.
Robie
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-devel-discuss/attachments/20231211/6e42f363/attachment.sig>
More information about the Ubuntu-devel-discuss
mailing list