Tuesday, 12 December 2017

Re: Road to new openssl

On Tue, Dec 12, 2017 at 03:59:50PM +0000, Dimitri John Ledkov wrote:
> openssl has changed api/abi. Currently Ubuntu ships 1.0.2 LTS series
> openssl. Newer api/abi is available as a non-lts 1.1.0 series. Both
> 1.0.2 and 1.1.0 series will go end of life upstream over the lifetime
> of bionic.
>
> TLS 1.3 is currently undergoing standardisation
> (https://github.com/tlswg/tls13-spec) But it seems like it is still
> being actively iterated on.
>
> The next openssl series is expected to be 1.1.1 and it should be
> binary compatible with 1.1.0 series. And 1.1.1 series are expected to
> be released with TLS 1.3 support, after it is finalised and published.
>
> In Ubuntu, we would want to avoid shipping two openssl series
> simultaneously. Or at least avoid having two series in main.
>
> I have rebuild openssl 1.1.0 package from debian, with modifications
> to force provide all -dev packages pointint at 1.1.0 series, to
> validate how many outstanding packages in main still do not support
> 1.1.0 series api/abi in bionic in main.
>
> The failed build logs for main can be seen here:
> https://launchpad.net/~xnox/+archive/ubuntu/openssl/+packages?field.name_filter=&field.status_filter=published&field.series_filter=bionic
>
> These are:
> bind9

Fixed in Debian unstable; Server Team will merge it this cycle.

> freerdp

Fix available upstream: https://github.com/FreeRDP/FreeRDP/issues/3098

> linux
> nagios-nrpe

Looks like we have an Ubuntu delta for OpenSSL 1.0 compatibility which could
be easily dropped
(https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1715167)

> net-snmp

Patch available in Debian BTS, was deferred for stretch:
https://bugs.debian.org/828449

> openhpi

Debian bug, no patch: https://bugs.debian.org/859543

> openssh

As discussed.

> pam-p11

Debian bug, no patch: https://bugs.debian.org/871939
Upstream issue open: https://github.com/OpenSC/pam_p11/issues/6

> ppp

Ubuntu-specific build failure due to non-upstreamed eap-tls patch. Patch
author has new version of patch available at
https://www.nikhef.nl/~janjust/ppp/download.html for OpenSSL 1.1.

> qtbase-opensource-src
> ruby2.3
> wpa

New version available in Debian unstable with support for openssl 1.1.

> wvstreams

Debian bug, no patch: https://bugs.debian.org/859791
Unclear where the current 4.6.1 release originated from, the packaging
points to https://github.com/apenwarr/wvstreams for the upstream but this
has 4.3 as the last upstream release in 2010 and no commits since 2010.
wvstreams is in main for wvdial, seeded on the live image, a decision last
reviewed in 2010
(https://bugs.launchpad.net/ubuntu/+source/ubuntu-meta/+bug/400573). This
should probably be reviewed for 18.04.

> xchat-gnome

Ubuntu-only package (dropped in Debian, dropped subsequently in Ubuntu, then
brought back). Did not ship in yakkety or zesty; when restored in artful it
went straight to main because it was still seeded, but it's unclear this was
ever reviewed by the Desktop Team or whether they want this package still in
main. (The re-uploader is not a member of the Desktop Team.)


> Thus there are 14 packages to fix.
>
> Of which
> - ruby2.5 supports the new abi, and it is expected there will be 2.5
> transition in Debian/Ubuntu soon
> - Qt 5.10 has new abi support, and there is backport branch/patch that
> applies to 5.9 series
> - openssh is being worked on and is complex, I am hoping for this
> solution to work out
> https://github.com/openssh/openssh-portable/pull/48
> - linux is an unidentified failure, maybe a generic FTBFS
>
> Meaning 10 packages are in the unknown state of progress. I'm not sure
> if it is feasible to switch to 1.1.0 openssl without all of the above
> packages fixed to work with the new API.
>
> Feel free to use openssl from the above PPA for test builds only, as
> it is entirely unsupported PPA and may go away at any point.
> It is not compatible with neither Ubuntu or Debian nor ever will be,
> due to overriding of the meta-package to point at 1.1.0 series openssl
> unconditionally.
>
> Timeline:
>
> * I hope that TLS WG can standartise TLS 1.3 soon
>
> * I hope that OpenSSL team can release 1.1.1 series with TLS 1.3. soon
> and declare it LTS series
>
> * Or at least I hope that OpenSSL team could consider extending 1.1.0
> series security support timeframe
>
> .... so I wish all that for Christmas or a unicorn. I fear, I may end
> up with a unicorn.

There are still some unresolved upstream porting issues, and openssh is
certainly the big one. But it looks like the upstream TLS 1.3
standardization is the main blocker.

Thanks,
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
[email protected] [email protected]