On Friday, 17 February 2017 18:18:27 CEST David Sommerseth wrote:
> On 17/02/17 17:35, Emmanuel Deloget wrote:
> > I understand that I'm the new guy in town, but can you allow me to
> > make the formal request to ditch OpenSSL 0.9.8, 1.0.0 and 1.0.1 and
> > require at least version 1.0.2?
> So to the RHEL releases and the OpenSSL versions.  RHEL 5 ships with
> openssl-0.9.8e.  Both RHEL 6 and RHEL 7 ships with openssl-1.0.1e.
> The way Red Hat releases works is that versions are close to never
> rebased, at least not core libraries such as OpenSSL. 

Both core libraries and non-core libraries are rebased in RHEL. Case in point, 
RHEL 6 originally shipped with openssl-1.0.0[1].
But rebases to releases that are ABI incompatible happen only to packages that 
are explicitly excluded[2] from ABI guarantee. OpenSSL is not one of such 
packages. For obvious reasons, I hope.

> But Red Hat
> employs a lot of users to ensure all packages they distribute is secure
> and maintained.  That means that security and important bug fixes will
> be backported from newer OpenSSL releases to the openssl-1.0.1e
> baseline.  And this happens for the whole life cycle of each major release.


> Sometimes even features are backported as well.

Unfortunately because RHEL-6 is currently in Production Phase 2, soon entering 
Phase 3, providing new feature like openssl-1.0.2 would be an exception[4].

> But I have gotten
> fairly clear signals that TLSv1.3 from openssl-1.1 will not be
> backported, as the code has changed too much since the 1.0.1 baseline.
> But I would be surprised if a future RHEL 8 does not ship with openssl-1.1.x

Well, openssl-1.1.0 is already available for Fedora rawhide :)

(Hope I don't sound too much like a markedroid, but I appreciate the support 
for RHEL you provide so I wanted to let you know exactly where everything is, 
the least I can do)

 1 - http://vault.centos.org/6.0/os/x86_64/Packages/
 2 - https://access.redhat.com/articles/rhel-abi-compatibility
 3 - https://access.redhat.com/security/updates/backporting
 4 - https://access.redhat.com/support/policy/updates/errata
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic

Attachment: signature.asc
Description: This is a digitally signed message part.

Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Openvpn-devel mailing list

Reply via email to