Hi Adrien, Thank you for working on improving OpenSSL in our stable releases! Steve has already said that performance improvements are acceptable. That's fine by me as well, but of course subject to review of the specific changes. I wanted to talk about your longer term goals though:
On Mon, Aug 28, 2023 at 10:33:12PM +0200, Adrien Nader wrote: > I've been wanting to _ultimately_ update openssl in our stable releases. > That means updating 22.04 with another openssl LTS. Before anyone > panics: that's a really long term goal. > > Since openssl had relatively small SRUs in the past years, I had planned > to do things very progressively. At the moment we have 3.0.10 in Mantic > (I didn't check who updated it but thanks!) and 3.0.8 in Lunar. No > regression compared to Jammy's 3.0.2. I didn't read about issues on > other distros either. That's encouraging. Have you done any research about previous regressions in OpenSSL we've had? Dimitri mentioned some. I try to tag these in the bug tracker so that they can be found later for analysis[1], and I think they're quite interesting in themselves. Here are some that demonstrate use cases that might influence our future decisions: https://bugs.launchpad.net/debian/+source/nodejs/+bug/1779863 - nodejs upstream arrange to build against an ABI and then ship their own built binaries to third parties who then use an Ubuntu LTS expecting that ABI. https://bugs.launchpad.net/ubuntu/cosmic/+source/net-snmp/+bug/1794589 - similar to above (or perhaps the same) - nodejs upstream consider the OpenSSL ABI version "pinned" against every upstream release for the purpose of binary compatibility of built binary modules around their ecosystem. https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1979639 - ABI also means configuration file formatting in /etc/ssl/ https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/986147 - prior to release of Precise, the move from 1.0.0 to 1.0.1 changed behaviour in a way that broke quite a few users in what sounds like an upstream microrelease update. This was a long time ago though. Perhaps upstream have revised their policies on releases since. Also, bugs tagged bionic-openssl-1.1 (I see 109 tasks though that includes multiple tasks against the same bugs) track the issues Dimitri mentions caused by the introduction of 1.1 into Bionic. When searching for these, be sure to include "Fix Released", "Invalid", "Won't Fix" and suchlike since a simple tag search won't find tasks against stable releases otherwise. Again, I appreciate you driving maintenance for OpenSSL in Ubuntu. I hope the above will help inform your choices. If these past classes of issues have been addressed and are unlikely to recur, that's fine too if there's some analysis that demonstrates that! Robie [1] Please, everyone should do this - the regression-update tag is useful not only to flag bugs for attention but also for retrospective analysis to help inform future decisions.
signature.asc
Description: PGP signature
-- Ubuntu-release mailing list Ubuntu-release@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-release
