Re: libressl in Buster?
On Mon, Nov 05, 2018 at 06:18:00AM +0100, Harald Dunkel wrote:
> On 11/3/18 4:42 PM, Reco wrote:
> > Hi.
> > On Sat, Nov 03, 2018 at 03:37:06PM +0100, Harald Dunkel wrote:
> >> I don't see a short release cycle as a bad feature. Its a sign of
> >> active and agile development.
> > And in Debian stable that also means that it's close to impossible to
> > backport security fixes to chosen version (because it's "too old").
> > Updating such fundamental library can (and probably *will*) lead to
> > API/ABI breakage. While tolerable at sid/testing, such things are
> > frowned upon at stable.
> Thats a home-made problem affecting many packages in Debian, RedHat EL,
> and others.
Yet that's a price they agree to pay for a predictable software
behaviour during a lifecycle of a single major release.
And that's IBM EL now. RedHat's selling out.
> >> Openssl has a bad reputation for introducing security problems,
> >> partly due to its complex and "dangerous code", which was the
> >> major reason for the fork.
> >> https://en.wikipedia.org/wiki/LibreSSL#History
> > As long as it's used - they will search for vulnerabilities in there.
> > And they will find them. PHP has even worse reputation in this regard,
> > for example, yet you still see people who are using PHP.
> Thats the point. AFAICT there are many alternatives to php. Its upstream's
> job to decide which scripting language to chose.
But there are no alternatives to PHP that match it's (possibly passing)
> Debian can chose to include the source packages (php or the tools
> using it) into the distro.
Likewise we have two alternatives to openssl in Debian right now. Gnutls
and NSS. Unlike LibreSSL, they produce stable versions.
> For opensmtpd (the package I am interested in) upstream has decided to
> ditch openssl in favor of libressl. Now Debian has several options in this
> - add libressl to Debian
> - stick to the old opensmtpd 6.0.3 and openssl and backport security fixes
> - modify opensmtpd 6.4 to make it work with openssl
> - drop opensmtpd
I add fifth. Embed libressl into Debian package of opensmtpd.
It's happened before.