Choice of the openssl version for 23.10 and 24.04

Tue May 16 15:06:13 UTC 2023

On 2023-05-15 05:18, Adrien Nader wrote:
> Hello,
> 
> Ubuntu currently ships openssl 3.0. Debian will release with 3.0.
> 
> Debian experimental contains 3.1. Openssl 3.1 has been out for a couple
> months. It seemed natural to switch to 3.1 which contains a number of
> interesting changes including fixes for performance regressions except
> that...
> 
> Quoting https://www.openssl.org/policies/releasestrat.html :
> 
> - Version 3.1 will be supported until 2025-03-14
> - Version 3.0 will be supported until 2026-09-07 (LTS).
> 
> The support for 3.1 spans two years while the support for 3.0 spans 5
> years since it's an LTS.
> 
> If the openssl teams keeps the same cadence (I love extrapolating with
> only two data points, it's much simpler), then 3.2 could be released
> September 2024 and it could be just in time to be included in 24.10 but
> obviously not 24.04. There's also no indication at the moment that 3.2
> would be an LTS release. As for 3.3, it would be released March 2026 and
> that would still be early enough to make it the next LTS.
> 
> As I said, these dates are extrapolation based on the 3.0 to 3.1 release
> and I haven't seen communication from the openssl team about their
> roadmap besides that they had to remove it at some point because it
> needed more work. It's seems unlikely that the result of "more work" is
> as simple as "release every 18 months".
> 
> In any case, it seems unlikely that 3.2 is released in time for 24.04
> feature freeze AND is an LTS. I'm going to raise this topic on the
> openssl issue tracker but I wanted to begin the discussion here since
> the same issue is likely to pop again in the future.
> 
> In short:
> 
> In 24.04, do we want to include a release of openssl that will be
> supported for "at least two years", possibly starting a year before our
> release, or do we want to include a release that will be supported for
> "at least five years", possibly starting two years before our release.

I'd rather we stick with an OpenSSL LTS release, as that is possibly what others 
distros will be using and we will be able to collaborate on fixes once the 
upstream support goes away.

> 
> Bonus questions:
> 
> What do we do when the support on the openssl side ends but there's
> three more years of support for our LTS releases?

We do like we do for all the other packages in our archive, we backport patches 
to the unsupported version. (And we support our LTS releases for a minimum of 10 
years now...)

> 
> In case we SRU newer versions of openssl, will we attempt to maintain
> the same behaviour? (I wanted to ask that question but the answer is
> probably not a yes/no: a best-effort policy might make more sense)
> 

We don't SRU newer versions of OpenSSL. The attempts we've made in the past to 
SRU a minor point release resulted in hundreds of fixes required all over the 
archive and caused regressions for users. Backporting security fixes and 
specific bug fixes is the best approach.

Marc.