RFC on Jammy SRU with OpenSSL 3.0 backports for performance

Robie Basak robie.basak at canonical.com
Wed Sep 27 11:33:20 UTC 2023


Hi Adrien,

Thank you for working on improving OpenSSL in our stable releases! Steve
has already said that performance improvements are acceptable. That's
fine by me as well, but of course subject to review of the specific
changes. I wanted to talk about your longer term goals though:

On Mon, Aug 28, 2023 at 10:33:12PM +0200, Adrien Nader wrote:
> I've been wanting to _ultimately_ update openssl in our stable releases.
> That means updating 22.04 with another openssl LTS. Before anyone
> panics: that's a really long term goal.
> 
> Since openssl had relatively small SRUs in the past years, I had planned
> to do things very progressively. At the moment we have 3.0.10 in Mantic
> (I didn't check who updated it but thanks!) and 3.0.8 in Lunar. No
> regression compared to Jammy's 3.0.2. I didn't read about issues on
> other distros either. That's encouraging.

Have you done any research about previous regressions in OpenSSL we've
had? Dimitri mentioned some. I try to tag these in the bug tracker so
that they can be found later for analysis[1], and I think they're quite
interesting in themselves.

Here are some that demonstrate use cases that might influence our future
decisions:

https://bugs.launchpad.net/debian/+source/nodejs/+bug/1779863 - nodejs
upstream arrange to build against an ABI and then ship their own built
binaries to third parties who then use an Ubuntu LTS expecting that ABI.

https://bugs.launchpad.net/ubuntu/cosmic/+source/net-snmp/+bug/1794589 -
similar to above (or perhaps the same) - nodejs upstream consider the
OpenSSL ABI version "pinned" against every upstream release for the
purpose of binary compatibility of built binary modules around their
ecosystem.

https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1979639 - ABI
also means configuration file formatting in /etc/ssl/

https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/986147 - prior to
release of Precise, the move from 1.0.0 to 1.0.1 changed behaviour in a
way that broke quite a few users in what sounds like an upstream
microrelease update. This was a long time ago though. Perhaps upstream
have revised their policies on releases since.

Also, bugs tagged bionic-openssl-1.1 (I see 109 tasks though that
includes multiple tasks against the same bugs) track the issues Dimitri
mentions caused by the introduction of 1.1 into Bionic. When searching
for these, be sure to include "Fix Released", "Invalid", "Won't Fix" and
suchlike since a simple tag search won't find tasks against stable
releases otherwise.

Again, I appreciate you driving maintenance for OpenSSL in Ubuntu. I
hope the above will help inform your choices. If these past classes of
issues have been addressed and are unlikely to recur, that's fine too if
there's some analysis that demonstrates that!

Robie


[1] Please, everyone should do this - the regression-update tag is
useful not only to flag bugs for attention but also for retrospective
analysis to help inform future decisions.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-release/attachments/20230927/76066437/attachment.sig>


More information about the Ubuntu-release mailing list