Choice of the openssl version for 23.10 and 24.04
Adrien Nader
adrien at notk.org
Tue May 16 16:14:01 UTC 2023
On Tue, May 16, 2023, Marc Deslauriers wrote:
> On 2023-05-15 05:18, Adrien Nader wrote:
> > Hello,
> >
> > Ubuntu currently ships openssl 3.0. Debian will release with 3.0.
> >
> > Debian experimental contains 3.1. Openssl 3.1 has been out for a couple
> > months. It seemed natural to switch to 3.1 which contains a number of
> > interesting changes including fixes for performance regressions except
> > that...
> >
> > Quoting https://www.openssl.org/policies/releasestrat.html :
> >
> > - Version 3.1 will be supported until 2025-03-14
> > - Version 3.0 will be supported until 2026-09-07 (LTS).
> >
> > The support for 3.1 spans two years while the support for 3.0 spans 5
> > years since it's an LTS.
> >
> > If the openssl teams keeps the same cadence (I love extrapolating with
> > only two data points, it's much simpler), then 3.2 could be released
> > September 2024 and it could be just in time to be included in 24.10 but
> > obviously not 24.04. There's also no indication at the moment that 3.2
> > would be an LTS release. As for 3.3, it would be released March 2026 and
> > that would still be early enough to make it the next LTS.
> >
> > As I said, these dates are extrapolation based on the 3.0 to 3.1 release
> > and I haven't seen communication from the openssl team about their
> > roadmap besides that they had to remove it at some point because it
> > needed more work. It's seems unlikely that the result of "more work" is
> > as simple as "release every 18 months".
> >
> > In any case, it seems unlikely that 3.2 is released in time for 24.04
> > feature freeze AND is an LTS. I'm going to raise this topic on the
> > openssl issue tracker but I wanted to begin the discussion here since
> > the same issue is likely to pop again in the future.
> >
> > In short:
> >
> > In 24.04, do we want to include a release of openssl that will be
> > supported for "at least two years", possibly starting a year before our
> > release, or do we want to include a release that will be supported for
> > "at least five years", possibly starting two years before our release.
>
> I'd rather we stick with an OpenSSL LTS release, as that is possibly what
> others distros will be using and we will be able to collaborate on fixes
> once the upstream support goes away.
OK. I don't have strong opinions on this, especially since I'm not the
one who will be pushing security updates.
My main concern is a possible backlash, especially since 3.0's
performance is sometimes a lot worse than 1.1's and that there won't be
a newer version in a Ubuntu LTS before 26.04 (
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2009544 is one
example ).
> > Bonus questions:
> >
> > What do we do when the support on the openssl side ends but there's
> > three more years of support for our LTS releases?
>
> We do like we do for all the other packages in our archive, we backport
> patches to the unsupported version. (And we support our LTS releases for a
> minimum of 10 years now...)
I had forgotten this was now 10 years; I was too set on Bionic's
schedule.
One advantage of using 3.0 is that it would be the same version as in
Jammy. Maybe even 26.04 will use it too...
> >
> > In case we SRU newer versions of openssl, will we attempt to maintain
> > the same behaviour? (I wanted to ask that question but the answer is
> > probably not a yes/no: a best-effort policy might make more sense)
> >
>
> We don't SRU newer versions of OpenSSL. The attempts we've made in the past
> to SRU a minor point release resulted in hundreds of fixes required all over
> the archive and caused regressions for users. Backporting security fixes and
> specific bug fixes is the best approach.
Thanks for the explanation.
--
Adrien
More information about the Ubuntu-devel-discuss
mailing list