Hi Robie, On Wed, Sep 27, 2023, Robie Basak wrote: > Hi Adrien, > > Thank you for working on improving OpenSSL in our stable releases! Steve > has already said that performance improvements are acceptable. That's > fine by me as well, but of course subject to review of the specific > changes. I wanted to talk about your longer term goals though: > > On Mon, Aug 28, 2023 at 10:33:12PM +0200, Adrien Nader wrote: > > I've been wanting to _ultimately_ update openssl in our stable releases. > > That means updating 22.04 with another openssl LTS. Before anyone > > panics: that's a really long term goal. > > > > Since openssl had relatively small SRUs in the past years, I had planned > > to do things very progressively. At the moment we have 3.0.10 in Mantic > > (I didn't check who updated it but thanks!) and 3.0.8 in Lunar. No > > regression compared to Jammy's 3.0.2. I didn't read about issues on > > other distros either. That's encouraging. > > Have you done any research about previous regressions in OpenSSL we've > had? Dimitri mentioned some. I try to tag these in the bug tracker so > that they can be found later for analysis[1], and I think they're quite > interesting in themselves.
I saw Dimitri's message but I was on vacation or just back from vacation and I've been constantly remembering about it but never when in front of my computer. I'll bring that up again. Thanks for mentioning it again! I wasn't aware of the regression-update tag. That's very interesting and I'll definitely keep that in mind. > Here are some that demonstrate use cases that might influence our future > decisions: > > https://bugs.launchpad.net/debian/+source/nodejs/+bug/1779863 - nodejs > upstream arrange to build against an ABI and then ship their own built > binaries to third parties who then use an Ubuntu LTS expecting that ABI. > > https://bugs.launchpad.net/ubuntu/cosmic/+source/net-snmp/+bug/1794589 - > similar to above (or perhaps the same) - nodejs upstream consider the > OpenSSL ABI version "pinned" against every upstream release for the > purpose of binary compatibility of built binary modules around their > ecosystem. > > https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1979639 - ABI > also means configuration file formatting in /etc/ssl/ > > https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/986147 - prior to > release of Precise, the move from 1.0.0 to 1.0.1 changed behaviour in a > way that broke quite a few users in what sounds like an upstream > microrelease update. This was a long time ago though. Perhaps upstream > have revised their policies on releases since. > > Also, bugs tagged bionic-openssl-1.1 (I see 109 tasks though that > includes multiple tasks against the same bugs) track the issues Dimitri > mentions caused by the introduction of 1.1 into Bionic. When searching > for these, be sure to include "Fix Released", "Invalid", "Won't Fix" and > suchlike since a simple tag search won't find tasks against stable > releases otherwise. > > Again, I appreciate you driving maintenance for OpenSSL in Ubuntu. I > hope the above will help inform your choices. If these past classes of > issues have been addressed and are unlikely to recur, that's fine too if > there's some analysis that demonstrates that! Basically, I would like that by NN we have a framework to decide whether an SRU for openssl specifically is safe. There are several criteria: I know of at least ABI, behavior and configuration. ABI is probably the only one which can be verified automatically but I don't think there's an explicit process for that at the moment. Compatibility for behavior and configuration are more difficult to assess and I know of no automated analysis for these. I checked the issues you linked to and I think ensuring the ABI is the same would have prevented two of these. The configuration one _should_ not happen with a .patch version and might be easy enough to spot in a limited set of patches. The 1.0.1 one is the most unexpected one and needs reviews and tests (I think that's actually an issue I was looking for but only had vague recollections about and couldn't find anymore in the noise after 10 years :) ). I'll have a look at the bionic-openssl-1.1 issues, thanks. I'm interesting in looking at as many possible issues in order to come up with the best rules and be sure everything is safe. Honestly, I wish we didn't have to do that but it looks like 3.0.notthatmuch releases had a lot of issues. I don't know if there will be the same interest in updating 24.04's openssl since that version will be including 2 years of fixes and only few new bugs. It's also getting far less likely that there will be further performance improvements in 3.0.x. Thinking about all of this as I type, I think I will compare the ABIs of 3.0.2 (jammy's) and 3.0.11 (mantic's) tomorrow^Wtonight. Much to my surprise, the ABIs for jammy and mantic appear identical. At least that's not immediately ruling out SRUs. I'll try to quantify the amount of fixes going in over time for the 3.0.x series on tomorrow. Really, I don't have definite answers there. My actual goal is to be able to come up with criteria that will help find them and if the answers end up being that we can't update safely, then so be it. -- Adrien -- Ubuntu-release mailing list Ubuntu-release@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-release
