On 12 December 2017 at 23:15, Marc Deslauriers <[email protected]> wrote: > On 2017-12-12 10:59 AM, Dimitri John Ledkov wrote: >> openssl has changed api/abi. Currently Ubuntu ships 1.0.2 LTS series >> openssl. Newer api/abi is available as a non-lts 1.1.0 series. Both >> 1.0.2 and 1.1.0 series will go end of life upstream over the lifetime >> of bionic. >> >> TLS 1.3 is currently undergoing standardisation >> (https://github.com/tlswg/tls13-spec) But it seems like it is still >> being actively iterated on. >> >> The next openssl series is expected to be 1.1.1 and it should be >> binary compatible with 1.1.0 series. And 1.1.1 series are expected to >> be released with TLS 1.3 support, after it is finalised and published. >> >> In Ubuntu, we would want to avoid shipping two openssl series >> simultaneously. Or at least avoid having two series in main. > > When we did the switch from 0.9.8 to 1.0.0, we kept 0.9.8 in universe, and > that > was a big mistake. Third party applications and a whole slew of commonly-used > software from universe were using a version of ssl that didn't get any > security > fixes. It was such a problem that we had to half-maintain it anyway until we > were no longer able to. >
openssh needs libcrypto only, I do wonder if we can bastardise 1.0.2 packaging to provide libcrypto only, despite shipping sources to build everything. I have not made assesment on how many things need libcrypto alone without libssl1.0. > I do not wish to repeat that experience if possible, especially for an LTS > version of Ubuntu we'll need to support for 5 years. If we do switch to 1.1, I > would prefer 1.0.2 get removed from universe. > As far as I understand the current openssl master is positioned to be released as a 1.1.1 series, api/abi non-breaking w.r.t. to the current stable 1.1.0 series. At one point master did have abi breaks and marked as 1.2, but that was reverted / fixed up. But obviously this can change, as it has not been released. Based on the upstream timings I think they are free to announce next LTS release and/or change maintenance windows late 2018 or in 2019. Apart from TLS 1.3, we are missing hw acceleration work that got added in 1.1.0+ on multiple server architectures. > Have you done a test rebuild of universe packages? > No, but I can do one locally and sync build logs. >> >> I have rebuild openssl 1.1.0 package from debian, with modifications >> to force provide all -dev packages pointint at 1.1.0 series, to >> validate how many outstanding packages in main still do not support >> 1.1.0 series api/abi in bionic in main. >> >> The failed build logs for main can be seen here: >> https://launchpad.net/~xnox/+archive/ubuntu/openssl/+packages?field.name_filter=&field.status_filter=published&field.series_filter=bionic >> >> These are: >> bind9 >> freerdp >> linux >> nagios-nrpe >> net-snmp >> openhpi >> openssh >> pam-p11 >> ppp >> qtbase-opensource-src >> ruby2.3 >> wpa >> wvstreams >> xchat-gnome >> >> Thus there are 14 packages to fix. >> >> Of which >> - ruby2.5 supports the new abi, and it is expected there will be 2.5 >> transition in Debian/Ubuntu soon >> - Qt 5.10 has new abi support, and there is backport branch/patch that >> applies to 5.9 series >> - openssh is being worked on and is complex, I am hoping for this >> solution to work out >> https://github.com/openssh/openssh-portable/pull/48 >> - linux is an unidentified failure, maybe a generic FTBFS >> >> Meaning 10 packages are in the unknown state of progress. I'm not sure >> if it is feasible to switch to 1.1.0 openssl without all of the above >> packages fixed to work with the new API. >> >> Feel free to use openssl from the above PPA for test builds only, as >> it is entirely unsupported PPA and may go away at any point. >> It is not compatible with neither Ubuntu or Debian nor ever will be, >> due to overriding of the meta-package to point at 1.1.0 series openssl >> unconditionally. >> >> Timeline: >> >> * I hope that TLS WG can standartise TLS 1.3 soon >> >> * I hope that OpenSSL team can release 1.1.1 series with TLS 1.3. soon >> and declare it LTS series >> >> * Or at least I hope that OpenSSL team could consider extending 1.1.0 >> series security support timeframe > > This is the big issue. If upstream don't declare the 1.1 series to be their > next > LTS series, we'll be shipping an interim release which could possibly be > different enough to both 1.0.2 and a future 1.2 that would prevent us from > being > able to maintain it properly. Unless we get assurance from upstream that 1.1 > will be the next LTS, I'd much rather we stay on 1.0.2 which will be supported > for a longer period. > Note that 1.1.1 and 1.1.0 are binary compatible, yet are treated as separate series and can have different support time lines. >> >> .... so I wish all that for Christmas or a unicorn. I fear, I may end >> up with a unicorn. >> > > Can we task the unicorn with backporting openssl fixes? :) > But seriously, can we estimate how much contracting such a unicorn would cost? And if we can justify it? Also note, I do not know the status of 1.1.0/1.1.1 series FIPS patches progress which may be a one more spanner in the works. Regards, Dimitri. -- ubuntu-devel mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
