Today, this backport request came in for OpenSSL: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2003903
This request was made so that allowing SSL_OP_LEGACY_SERVER_CONNECT to actually work would be available in -backports.
Any time that OpenSSL comes up in my radar for sponsors or backporting it ends up making me ask the Security team on their opinion because any patches to OpenSSL from Security won't make it to -backports and because of ABI/API changes that sneak in with microreleases to core SSL libraries (openssl, nss, gnutls, ...).
With this discussion brought up, it was discussed in #ubuntu-devel with me pinging both Dan Streetman and Mattia Rizzolo in IRC, Mattia chimed in on the discussion and with our discussion there, myself and Mattia agreed that, due to security reasons and concerns of ABI breakage in packages across the board, as well as the fact -backports doesn't get Security Team coverage there, we were going to add a category of "core SSL libraries" (with examples) to the Forbidden Packages section in backport policies.
Right now this has a +2 on this - myself and Mattia in support of this, and with this we made the change as that gives a majority decision currently among the Backporters team. Additionally, Security wanted to make aware that they wouldn't want to see OpenSSL land in -backports because of the huge integration that OpenSSL has which could introduce many breakages in non-backports when a backported OPenSSL or such is used for libraries.
I've made this revision in the backports policies because myself and Mattia had an agreement in IRC on this, we can revert this in a future discussion if necessary. Per policy, this is the note for the discussion here on the ML.
Thomas Ward Backporters Member -- ubuntu-backports mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-backports
