Heads up: OpenSSL3 transition
Simon Chopin
simon.chopin at canonical.com
Tue Nov 23 08:22:32 UTC 2021
Hi,
(dropping the ubuntu-release@ from the CC list, as the moderation delay
makes having a thread there a bit senseless)
Quoting Robie Basak (2021-11-22 17:59:32)
> On Fri, Nov 19, 2021 at 12:54:22PM -0500, Sergio Durigan Junior wrote:
> > I'd like to raise something. I apologize for sending this message in
> > such short notice.
> >
> > I am working on net-snmp, squid and a few other packages during this
> > transition, and I am feeling concerned with how uncomfortable some of
> > our upstreams seem to be regarding their patches to support OpenSSL 3.
> > I can mention a few cases here.
> >
> > net-snmp has a patch to support OpenSSL 3 in theory, but they are still
> > discussing a few details here:
> > https://github.com/net-snmp/net-snmp/issues/294 . It seems like they
> > have sorted out most of the issues so far, which is good, but I'm still
> > not 100% confident in backporting their patch yet.
>
> Just to add to this, when we do have patches ready, what should be our
> process to get any security-sensitive backport patches reviewed - in the
> cases that we're introducing them ahead of an upstream release - to
> avoid inadvertent security regressions?
Thanks for voicing this. I'm afraid I personnally cannot answer this
question, as I feel I lack the relevant experience.
However, a first step could perhaps be to document all those patches on
LP, using the existing tag 'transition-openssl3-jj', and notify upstream
when we upload unreleased patches, on the relevant PR/MR/thread?
(which would mean I probably have a backlog of notifying to do...)
Cheers,
Simon
More information about the ubuntu-devel
mailing list