Re: Heads up: OpenSSL3 transition
On Tue, Nov 23, 2021 at 12:22:32AM -0800, Simon Chopin wrote: > > Just to add to this, when we do have patches ready, what should be our > > process to get any security-sensitive backport patches reviewed - in the > > cases that we're introducing them ahead of an upstream release - to > > avoid inadvertent security regressions? > > Thanks for voicing this. I'm afraid I personnally cannot answer this > question, as I feel I lack the relevant experience. > > However, a first step could perhaps be to document all those patches on > LP, using the existing tag 'transition-openssl3-jj', and notify upstream > when we upload unreleased patches, on the relevant PR/MR/thread? > > (which would mean I probably have a backlog of notifying to do...) For MySQL, I have an MP up now, that seems to work: https://code.launchpad.net/~racb/ubuntu/+source/mysql-8.0/+git/mysql-8.0/+merge/414742 It's already tagged transition-openssl3-jj, and I am in contact with upstream, but they don't have anything for us yet. After it gets through my team's usual peer review process, I'll be blocked from uploading pending a proper review from the perspective of verifying correct use of the OpenSSL API. (and if someone does upload from it, please remove my name from it and corresponding commits first unless it has received that review) Robie signature.asc Description: PGP signature -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: Heads up: OpenSSL3 transition
Hi, (dropping the ubuntu-release@ from the CC list, as the moderation delay makes having a thread there a bit senseless) Quoting Robie Basak (2021-11-22 17:59:32) > On Fri, Nov 19, 2021 at 12:54:22PM -0500, Sergio Durigan Junior wrote: > > I'd like to raise something. I apologize for sending this message in > > such short notice. > > > > I am working on net-snmp, squid and a few other packages during this > > transition, and I am feeling concerned with how uncomfortable some of > > our upstreams seem to be regarding their patches to support OpenSSL 3. > > I can mention a few cases here. > > > > net-snmp has a patch to support OpenSSL 3 in theory, but they are still > > discussing a few details here: > > https://github.com/net-snmp/net-snmp/issues/294 . It seems like they > > have sorted out most of the issues so far, which is good, but I'm still > > not 100% confident in backporting their patch yet. > > Just to add to this, when we do have patches ready, what should be our > process to get any security-sensitive backport patches reviewed - in the > cases that we're introducing them ahead of an upstream release - to > avoid inadvertent security regressions? Thanks for voicing this. I'm afraid I personnally cannot answer this question, as I feel I lack the relevant experience. However, a first step could perhaps be to document all those patches on LP, using the existing tag 'transition-openssl3-jj', and notify upstream when we upload unreleased patches, on the relevant PR/MR/thread? (which would mean I probably have a backlog of notifying to do...) Cheers, Simon -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: Heads up: OpenSSL3 transition
On Fri, Nov 19, 2021 at 12:54:22PM -0500, Sergio Durigan Junior wrote: > I'd like to raise something. I apologize for sending this message in > such short notice. > > I am working on net-snmp, squid and a few other packages during this > transition, and I am feeling concerned with how uncomfortable some of > our upstreams seem to be regarding their patches to support OpenSSL 3. > I can mention a few cases here. > > net-snmp has a patch to support OpenSSL 3 in theory, but they are still > discussing a few details here: > https://github.com/net-snmp/net-snmp/issues/294 . It seems like they > have sorted out most of the issues so far, which is good, but I'm still > not 100% confident in backporting their patch yet. Just to add to this, when we do have patches ready, what should be our process to get any security-sensitive backport patches reviewed - in the cases that we're introducing them ahead of an upstream release - to avoid inadvertent security regressions? Robie signature.asc Description: PGP signature -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: Heads up: OpenSSL3 transition
On Wednesday, November 17 2021, Simon Chopin wrote: > Hi all, Hey Simon, Thanks for your work on this, BTW. Much appreciated :-). > You might have noticed that the OpenSSL 3 transition was supposed to get > started a couple of weeks ago. As usual with these things, it slipped > away as there were some issues with packages in main that needed to be > resolved first. Now that it's mostly sorted out, I'm planning on (asking > nicely someone to) upload the new version of OpenSSL later this week or > early next week, unless someone raises an objection? I'd like to raise something. I apologize for sending this message in such short notice. I am working on net-snmp, squid and a few other packages during this transition, and I am feeling concerned with how uncomfortable some of our upstreams seem to be regarding their patches to support OpenSSL 3. I can mention a few cases here. net-snmp has a patch to support OpenSSL 3 in theory, but they are still discussing a few details here: https://github.com/net-snmp/net-snmp/issues/294 . It seems like they have sorted out most of the issues so far, which is good, but I'm still not 100% confident in backporting their patch yet. squid has an open pull request with a bunch of changes needed to support OpenSSL 3. The patches backport and build OK on Jammy, but upstream is still looking for more reviewers/testers before they merge the PR. I decided to run some tests here and give them some feedback, and one of the things I wanted to do was to run autopkgtest with their patches applied. That led me to the discovery that apache2's mod-ssl doesn't work with OpenSSL 3 either, so I filed a bug for it. apache2 also has an open PR to implement OpenSSL 3 support for the 2.4.x series. They've apparently found a regression on OpenSSL while testing things in Fedora (https://github.com/openssl/openssl/issues/15946), and I found the following thread which is an interesting read: https://www.mail-archive.com/dev@httpd.apache.org/msg75615.html While it should be possible to backport the upstream patches and make things build, I'm not entirely sure if this is the right way forward here. I don't want to suggest that we postpone anything, but I thought it would be good to raise these issues here. Thanks, -- Sergio GPG key ID: E92F D0B3 6B14 F1F4 D8E0 EB2F 106D A1C8 C3CB BF14 -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
