Web lists-archives.com

Re: libressl in Buster?




On 11/3/18 4:42 PM, Reco wrote:
> 	Hi.
> 
> On Sat, Nov 03, 2018 at 03:37:06PM +0100, Harald Dunkel wrote:
>>
>> I don't see a short release cycle as a bad feature. Its a sign of
>> active and agile development.
> 
> And in Debian stable that also means that it's close to impossible to
> backport security fixes to chosen version (because it's "too old").
> Updating such fundamental library can (and probably *will*) lead to
> API/ABI breakage. While tolerable at sid/testing, such things are
> frowned upon at stable.
> 

Thats a home-made problem affecting many packages in Debian, RedHat EL,
and others.

> 
>> Openssl has a bad reputation for introducing security problems,
>> partly due to its complex and "dangerous code", which was the
>> major reason for the fork.
>> https://en.wikipedia.org/wiki/LibreSSL#History
> 
> As long as it's used - they will search for vulnerabilities in there.
> And they will find them. PHP has even worse reputation in this regard,
> for example, yet you still see people who are using PHP.
> 

Thats the point. AFAICT there are many alternatives to php. Its upstream's
job to decide which scripting language to chose. Debian can chose to
include the source packages (php or the tools using it) into the distro.

For opensmtpd (the package I am interested in) upstream has decided to
ditch openssl in favor of libressl. Now Debian has several options in this
case:

- add libressl to Debian
- stick to the old opensmtpd 6.0.3 and openssl and backport security fixes
- modify opensmtpd 6.4 to make it work with openssl
- drop opensmtpd

IMHO the 2nd and 3rd options imply a lot of additional effort. The
4th option would make the Debian users loose faith in Debian upgrades
(if too many packages are kicked out).


Regards
Harri