On Tue, Sep 04, 2018 at 12:12:56AM +0200, Sebastian Andrzej Siewior wrote:
> Package: release.debian.org
> User: release.debian....@packages.debian.org
> Usertags: pu
> Tags: stretch
> Severity: normal
I can't speak for the SRMs, but personally I'm in favour of this. In
fact, I had been meaning to contact you and Kurt wrt switching to
releasing the openssl micro releases for buster-security onwards (but
I think it's ok to retroactively apply this for stretch as well).
We've had good results of shipping upstream micro releases in -security
for selected packages which sane/well-established release/QA processes
and I think openssl is a sensible candidate.
Apart from the pure security fixes, there's a grey area of changes
which are important to also get to stable (and there have been cases
where a bugfix shipped in an openssl stable release turned out to be
security-relevant later on).
(I've been deploying customs debs of the 1.0.2x and 1.1.0x openssl releases
at work and I haven't run into any compatibility issues/API issues during
that).
> The BTS bugs #903566 and #907457 are two examples which were raised
> within Debian.
It also allows to build some software in stretch which doesn't work
with 1.1.0f, e.g. nodejs 10 requires 1.1.0g as it depends on some API
functions only introduced there.
Cheers,
Moritz
