This problem needs to be handled as a bug due to its effect on OpenSSL use. Handling single patches with the Ubuntu OpenSSL package creates this problem, due to the lack of a version update. Instead, Ubuntu should be using mainline OpenSSL to avoid problems like https://en.wikipedia.org/wiki/OpenSSL#Predictable_private_keys_ .28Debian-specific.29 . If there are any problems with using mainline OpenSSL, they could always be added there, but it would be strange that there should be any at this point in time, which should make it hard to justify the current Ubuntu practice of only using individual patches.
Switching to using the mainline OpenSSL source code would help to avoid liability that would otherwise fall on Ubuntu, for failure with individual OpenSSL source code changes. My main concern is having a dependable OpenSSL version to check based on the public OpenSSL vulnerabilities that are published. The situation we have now makes the Ubuntu OpenSSL version useless, which prevents any reliable checking and automatically makes the Ubuntu OpenSSL look insecure, or at least untrustworthy, due to the custom effort required to merge patches. With a change to use mainline OpenSSL, usage of OpenSSL can check the version returned to evaluate if usage is secure. This is important due to programming language usage of OpenSSL and the potential for impact on runtime use. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1649657 Title: OpenSSL version is not dependable To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1649657/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
