Package: release-notes Severity: normal With both OpenSSL 1.0.2 and 1.1 included in stretch, the release notes should document which to choose for compiling 3rd party software.
In most cases either will work, but in some circumstances compiling against the wrong OpenSSL version will result in a crashing application (if some library used uses the other OpenSSL version and incompatible data is passed from one OpenSSL version to the other). It was decided to not force the correct OpenSSL version through libssl1.0-dev/libssl-dev dependencies. For packages included in stretch choosing the correct OpenSSL version was implemented through a review by Kurt half a year ago and RC bugs forcing affected software to use the correct version. For stretch users compiling 3rd party software this should be properly documented. One consumer of this information should be stretch-backports, whenever a package uses libssl1.0-dev in stretch but libssl-dev in buster the information is required whether compiling with libssl-dev in stretch-backports is safe.
