Choice of the openssl version for 23.10 and 24.04

Adrien Nader adrien at notk.org
Mon May 15 09:18:41 UTC 2023 

Hello,

Ubuntu currently ships openssl 3.0. Debian will release with 3.0.

Debian experimental contains 3.1. Openssl 3.1 has been out for a couple
months. It seemed natural to switch to 3.1 which contains a number of
interesting changes including fixes for performance regressions except
that...

Quoting https://www.openssl.org/policies/releasestrat.html :

- Version 3.1 will be supported until 2025-03-14
- Version 3.0 will be supported until 2026-09-07 (LTS).

The support for 3.1 spans two years while the support for 3.0 spans 5
years since it's an LTS.

If the openssl teams keeps the same cadence (I love extrapolating with
only two data points, it's much simpler), then 3.2 could be released
September 2024 and it could be just in time to be included in 24.10 but
obviously not 24.04. There's also no indication at the moment that 3.2
would be an LTS release. As for 3.3, it would be released March 2026 and
that would still be early enough to make it the next LTS.

As I said, these dates are extrapolation based on the 3.0 to 3.1 release
and I haven't seen communication from the openssl team about their
roadmap besides that they had to remove it at some point because it
needed more work. It's seems unlikely that the result of "more work" is
as simple as "release every 18 months".

In any case, it seems unlikely that 3.2 is released in time for 24.04
feature freeze AND is an LTS. I'm going to raise this topic on the
openssl issue tracker but I wanted to begin the discussion here since
the same issue is likely to pop again in the future.

In short:

In 24.04, do we want to include a release of openssl that will be
supported for "at least two years", possibly starting a year before our
release, or do we want to include a release that will be supported for
"at least five years", possibly starting two years before our release.

Bonus questions:

What do we do when the support on the openssl side ends but there's
three more years of support for our LTS releases?

In case we SRU newer versions of openssl, will we attempt to maintain
the same behaviour? (I wanted to ask that question but the answer is
probably not a yes/no: a best-effort policy might make more sense)

-- 
Adrien

More information about the Ubuntu-devel-discuss mailing list