Bug#802159: New OpenSSL upstream version

2015-12-15 Thread Kurt Roeckx
On Tue, Dec 15, 2015 at 08:00:59PM +, Adam D. Barratt wrote:
> [dropped explicit CCs to RT and TC members]
> 
> On Tue, 2015-10-20 at 20:37 +0200, Kurt Roeckx wrote:
> > On Tue, Oct 20, 2015 at 01:12:42PM -0500, Don Armstrong wrote:
> > > So from what I'm gathering, this looks like a case where there isn't
> > > enough eyeballs to adequately review this particularly set of updates,
> > > coupled with the importance of making sure that these updates are
> > > correct and don't cause any unintended issues.
> > 
> > There is always the case that one persons bug is an other persons
> > feature.  But those new upstream versions have been in stable and
> > testing for a while now without actually breaking anything.
> 
> (I'm assuming "unstable".)

I really meant stable.  stable has a newer version than oldstable
from the same 1.0.1 series.


Kurt



Bug#802159: New OpenSSL upstream version

2015-12-15 Thread Kurt Roeckx
On Tue, Dec 15, 2015 at 08:00:59PM +, Adam D. Barratt wrote:
> 
> Even a naively filtered diff - excluding documentation and tests -
> between the 1.0.1k tag and HEAD on upstream's stable branch is much
> larger than I'd imagined (1091 files changed, 73609+, 68591-), but
> paging through it there's a significant amount of "no-op" changes such
> as
> 
> -   seed_len,
> -   param_len;
> + seed_len, param_len;
> 
> that git diff is sadly too dumb to be able to ignore (or I'm too dumb to
> be able to drive it to do so).

There was a reformat of the code between those releases.  See:
https://www.openssl.org/blog/blog/2015/02/11/code-reformat-finished/

It includes the tags before and after the reformat.


Kurt



Bug#802159: New OpenSSL upstream version

2015-12-15 Thread Adam D. Barratt
[dropped explicit CCs to RT and TC members]

On Tue, 2015-10-20 at 20:37 +0200, Kurt Roeckx wrote:
> On Tue, Oct 20, 2015 at 01:12:42PM -0500, Don Armstrong wrote:
> > So from what I'm gathering, this looks like a case where there isn't
> > enough eyeballs to adequately review this particularly set of updates,
> > coupled with the importance of making sure that these updates are
> > correct and don't cause any unintended issues.
> 
> There is always the case that one persons bug is an other persons
> feature.  But those new upstream versions have been in stable and
> testing for a while now without actually breaking anything.

(I'm assuming "unstable".)

Even a naively filtered diff - excluding documentation and tests -
between the 1.0.1k tag and HEAD on upstream's stable branch is much
larger than I'd imagined (1091 files changed, 73609+, 68591-), but
paging through it there's a significant amount of "no-op" changes such
as

-   seed_len,
-   param_len;
+ seed_len, param_len;

that git diff is sadly too dumb to be able to ignore (or I'm too dumb to
be able to drive it to do so).

Do we have an approximate idea of how far divorced from upstream's
1.0.1e/k releases the corresponding packages in wheezy and jessie
currently are? 

Regards,

Adam