"Cantor, Scott" <canto...@osu.edu> writes: > On 10/30/17, 4:49 PM, "Sam Hartman" <hartm...@debian.org> wrote: > >> My understanding is that the patches already exist, but effort didn't >> exist within Debian to do a good job of taking those patches >> ourselves at least the last time this was discussed on the list. > > They're also up and down the stack and includes Santuario/xml-sec > patches that I'm also stuck making happen, though that should get > released probably next month as xml-security 2.0. The scope of the > patches are such that I definitely advised them not to try it > themselves, and I think they took that advice.
Thanks for summing this up so nicely, Scott. Yes, we're waiting for a new upstream release of the whole stack. OpenSSL 1.1 support will arrive with that. Meanwhile I was pushing for Xerces 3.2, which its maintainer kindly uploaded but it's yet to transition in unstable. XML-Security 2 will require this version, and the current version seems to build with it as well, so we aren't stuck here at least. -- Regards, Feri