Web lists-archives.com

Re: libressl in Buster?




	Hi.

On Mon, Nov 05, 2018 at 06:18:00AM +0100, Harald Dunkel wrote:
> On 11/3/18 4:42 PM, Reco wrote:
> > 	Hi.
> > 
> > On Sat, Nov 03, 2018 at 03:37:06PM +0100, Harald Dunkel wrote:
> >>
> >> I don't see a short release cycle as a bad feature. Its a sign of
> >> active and agile development.
> > 
> > And in Debian stable that also means that it's close to impossible to
> > backport security fixes to chosen version (because it's "too old").
> > Updating such fundamental library can (and probably *will*) lead to
> > API/ABI breakage. While tolerable at sid/testing, such things are
> > frowned upon at stable.
> 
> Thats a home-made problem affecting many packages in Debian, RedHat EL,
> and others.

Yet that's a price they agree to pay for a predictable software
behaviour during a lifecycle of a single major release.
And that's IBM EL now. RedHat's selling out.


> >> Openssl has a bad reputation for introducing security problems,
> >> partly due to its complex and "dangerous code", which was the
> >> major reason for the fork.
> >> https://en.wikipedia.org/wiki/LibreSSL#History
> > 
> > As long as it's used - they will search for vulnerabilities in there.
> > And they will find them. PHP has even worse reputation in this regard,
> > for example, yet you still see people who are using PHP.
> 
> Thats the point. AFAICT there are many alternatives to php. Its upstream's
> job to decide which scripting language to chose.

But there are no alternatives to PHP that match it's (possibly passing)
popularity.


> Debian can chose to include the source packages (php or the tools
> using it) into the distro.

Likewise we have two alternatives to openssl in Debian right now. Gnutls
and NSS. Unlike LibreSSL, they produce stable versions.


> For opensmtpd (the package I am interested in) upstream has decided to
> ditch openssl in favor of libressl. Now Debian has several options in this
> case:
> 
> - add libressl to Debian
> - stick to the old opensmtpd 6.0.3 and openssl and backport security fixes
> - modify opensmtpd 6.4 to make it work with openssl
> - drop opensmtpd

I add fifth. Embed libressl into Debian package of opensmtpd.
It's happened before.

Reco