On Wednesday, November 17 2021, Simon Chopin wrote: > Hi all,
Hey Simon, Thanks for your work on this, BTW. Much appreciated :-). > You might have noticed that the OpenSSL 3 transition was supposed to get > started a couple of weeks ago. As usual with these things, it slipped > away as there were some issues with packages in main that needed to be > resolved first. Now that it's mostly sorted out, I'm planning on (asking > nicely someone to) upload the new version of OpenSSL later this week or > early next week, unless someone raises an objection? I'd like to raise something. I apologize for sending this message in such short notice. I am working on net-snmp, squid and a few other packages during this transition, and I am feeling concerned with how uncomfortable some of our upstreams seem to be regarding their patches to support OpenSSL 3. I can mention a few cases here. net-snmp has a patch to support OpenSSL 3 in theory, but they are still discussing a few details here: https://github.com/net-snmp/net-snmp/issues/294 . It seems like they have sorted out most of the issues so far, which is good, but I'm still not 100% confident in backporting their patch yet. squid has an open pull request with a bunch of changes needed to support OpenSSL 3. The patches backport and build OK on Jammy, but upstream is still looking for more reviewers/testers before they merge the PR. I decided to run some tests here and give them some feedback, and one of the things I wanted to do was to run autopkgtest with their patches applied. That led me to the discovery that apache2's mod-ssl doesn't work with OpenSSL 3 either, so I filed a bug for it. apache2 also has an open PR to implement OpenSSL 3 support for the 2.4.x series. They've apparently found a regression on OpenSSL while testing things in Fedora (https://github.com/openssl/openssl/issues/15946), and I found the following thread which is an interesting read: https://www.mail-archive.com/[email protected]/msg75615.html While it should be possible to backport the upstream patches and make things build, I'm not entirely sure if this is the right way forward here. I don't want to suggest that we postpone anything, but I thought it would be good to raise these issues here. Thanks, -- Sergio GPG key ID: E92F D0B3 6B14 F1F4 D8E0 EB2F 106D A1C8 C3CB BF14 -- Ubuntu-release mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-release
