Bug#1023697: Keep out of testing
Am Wed, Nov 16, 2022 at 03:27:53PM +0100 schrieb Jan Altenberg: > On Thu, 10 Nov 2022 22:45:57 +0100 Bastian Germann wrote: > > As a new maintainer has stepped up, this cannot be the reason anymore > > to dump the package. Actually, with the next version of swupdate (one > > of those handful) I wanted to switch from OpenSSL to SWUpdate. > > We're glad to hear, there's a new maintainer. > > > It would also be interesting for Debian's downstreams who take a > > different approach to combining OpenSSL with GPL-2-only packages > > (licenses are incompatible, which Debian heals with the application of > > the GPL-built-in system library exception). Ubuntu and probably others > > do not take the same stand and wolfSSL is really the only TLS > > library that has a usable OpenSSL compatibility layer. > > > > If it helps, I can support the new maintainer > > OSADL is supporting Bastian with his work on SWUpdate. Quite a few of our > members are concerned about the license incompatibility issue mentioned > above. OSADL can relicense swupdate to GPL-2.0+ or GPL3.0 to address this, has that been considered/is it being worked on? Cheers, Moritz
Bug#1023697: Keep out of testing
On Thu, 10 Nov 2022 22:45:57 +0100 Bastian Germann wrote: As a new maintainer has stepped up, this cannot be the reason anymore to dump the package. Actually, with the next version of swupdate (one of those handful) I wanted to switch from OpenSSL to SWUpdate. As there are no real plan to provide QUIC support in OpenSSL 3 and the performance regressions of OpenSSL 3 are quite important, I may also switch HAProxy to WolfSSL.
Bug#1023697: Keep out of testing
Hi, On Fri, Nov 25, 2022 at 4:27 AM Bastian Germann wrote: > > It would be great to address the CVEs with patches on 4.6.0+p1-0+deb11u1. A proposed update for the 11.6 point release of bullseye, which is scheduled for next weekend, was filed with the release team. [1] They were also contacted for guidance via IRC. Kind regards Felix Lechner [1] https://bugs.debian.org/1025789 cc: Security Team
Bug#1023697: Keep out of testing
Thanks Bastian, will take a look at adding the patches on 4.6.0+p1-0+deb11u1. From: Bastian Germann<mailto:b...@debian.org> Sent: Friday, November 25, 2022 5:25 AM To: 1023...@bugs.debian.org<mailto:1023...@bugs.debian.org>; sirkilam...@msn.com<mailto:sirkilam...@msn.com> Subject: Re: Bug#1023697: Keep out of testing On Tue, 15 Nov 2022 15:27:54 -0800 Felix Lechner wrote: > On Tue, Nov 8, 2022 at 12:00 PM Moritz Muehlenhoff wrote: > > > > open security issues > > I also just uploaded a backport for bullseye. It would be great to address the CVEs with patches on 4.6.0+p1-0+deb11u1. This would actually be helpful and will maybe convince the Security Team to keep wolfSSL in bookworm. I am not able to identify the fixes for the CVEs quickly but I see that Jacob is affiliated with wolfSSL Inc. so he is probably better equipped to do so. Jacob, would you please do those CVE fix backports?
Bug#1023697: Keep out of testing
On Tue, 15 Nov 2022 15:27:54 -0800 Felix Lechner wrote: On Tue, Nov 8, 2022 at 12:00 PM Moritz Muehlenhoff wrote: > > open security issues I also just uploaded a backport for bullseye. It would be great to address the CVEs with patches on 4.6.0+p1-0+deb11u1. This would actually be helpful and will maybe convince the Security Team to keep wolfSSL in bookworm. I am not able to identify the fixes for the CVEs quickly but I see that Jacob is affiliated with wolfSSL Inc. so he is probably better equipped to do so. Jacob, would you please do those CVE fix backports?
Bug#1023697: Keep out of testing
On Thu, 10 Nov 2022 22:45:57 +0100 Bastian Germann wrote: As a new maintainer has stepped up, this cannot be the reason anymore to dump the package. Actually, with the next version of swupdate (one of those handful) I wanted to switch from OpenSSL to SWUpdate. We're glad to hear, there's a new maintainer. It would also be interesting for Debian's downstreams who take a different approach to combining OpenSSL with GPL-2-only packages (licenses are incompatible, which Debian heals with the application of the GPL-built-in system library exception). Ubuntu and probably others do not take the same stand and wolfSSL is really the only TLS library that has a usable OpenSSL compatibility layer. If it helps, I can support the new maintainer OSADL is supporting Bastian with his work on SWUpdate. Quite a few of our members are concerned about the license incompatibility issue mentioned above. Therefore, there is considerable interest in using WolfSSL as an alternative to OpenSSL in SWUpdate (and other packages). Greetings, Jan
Bug#1023697: Keep out of testing
Hi, On Tue, Nov 8, 2022 at 12:00 PM Moritz Muehlenhoff wrote: > > open security issues I also just uploaded a backport for bullseye. Kind regards, Felix Lechner
Bug#1023697: Keep out of testing
Hi, On Tue, Nov 8, 2022 at 12:00 PM Moritz Muehlenhoff wrote: > > wolfssl has no active maintainer, plenty of open security issues and we > already > have too many TLS libraries in our releases. Keep it out of testing. I'm going > to file bugs against the handful of reverse deps. Sorry, I have been out ill, but please do what you think is right. Kind regards Felix
Bug#1023697: Keep out of testing
Source: wolfssl Version: 5.2.0-2 Severity: serious wolfssl has no active maintainer, plenty of open security issues and we already have too many TLS libraries in our releases. Keep it out of testing. I'm going to file bugs against the handful of reverse deps. Cheers, Moritz