Wednesday, 13 December 2017

Re: Road to new openssl

On 12 December 2017 at 23:15, Marc Deslauriers
<> wrote:
> On 2017-12-12 10:59 AM, Dimitri John Ledkov wrote:
>> openssl has changed api/abi. Currently Ubuntu ships 1.0.2 LTS series
>> openssl. Newer api/abi is available as a non-lts 1.1.0 series. Both
>> 1.0.2 and 1.1.0 series will go end of life upstream over the lifetime
>> of bionic.
>> TLS 1.3 is currently undergoing standardisation
>> ( But it seems like it is still
>> being actively iterated on.
>> The next openssl series is expected to be 1.1.1 and it should be
>> binary compatible with 1.1.0 series. And 1.1.1 series are expected to
>> be released with TLS 1.3 support, after it is finalised and published.
>> In Ubuntu, we would want to avoid shipping two openssl series
>> simultaneously. Or at least avoid having two series in main.
> When we did the switch from 0.9.8 to 1.0.0, we kept 0.9.8 in universe, and that
> was a big mistake. Third party applications and a whole slew of commonly-used
> software from universe were using a version of ssl that didn't get any security
> fixes. It was such a problem that we had to half-maintain it anyway until we
> were no longer able to.

openssh needs libcrypto only, I do wonder if we can bastardise 1.0.2
packaging to provide libcrypto only, despite shipping sources to build
I have not made assesment on how many things need libcrypto alone
without libssl1.0.

> I do not wish to repeat that experience if possible, especially for an LTS
> version of Ubuntu we'll need to support for 5 years. If we do switch to 1.1, I
> would prefer 1.0.2 get removed from universe.

As far as I understand the current openssl master is positioned to be
released as a 1.1.1 series, api/abi non-breaking w.r.t. to the current
stable 1.1.0 series.
At one point master did have abi breaks and marked as 1.2, but that
was reverted / fixed up.
But obviously this can change, as it has not been released.
Based on the upstream timings I think they are free to announce next
LTS release and/or change maintenance windows late 2018 or in 2019.

Apart from TLS 1.3, we are missing hw acceleration work that got added
in 1.1.0+ on multiple server architectures.

> Have you done a test rebuild of universe packages?

No, but I can do one locally and sync build logs.

>> I have rebuild openssl 1.1.0 package from debian, with modifications
>> to force provide all -dev packages pointint at 1.1.0 series, to
>> validate how many outstanding packages in main still do not support
>> 1.1.0 series api/abi in bionic in main.
>> The failed build logs for main can be seen here:
>> These are:
>> bind9
>> freerdp
>> linux
>> nagios-nrpe
>> net-snmp
>> openhpi
>> openssh
>> pam-p11
>> ppp
>> qtbase-opensource-src
>> ruby2.3
>> wpa
>> wvstreams
>> xchat-gnome
>> Thus there are 14 packages to fix.
>> Of which
>> - ruby2.5 supports the new abi, and it is expected there will be 2.5
>> transition in Debian/Ubuntu soon
>> - Qt 5.10 has new abi support, and there is backport branch/patch that
>> applies to 5.9 series
>> - openssh is being worked on and is complex, I am hoping for this
>> solution to work out
>> - linux is an unidentified failure, maybe a generic FTBFS
>> Meaning 10 packages are in the unknown state of progress. I'm not sure
>> if it is feasible to switch to 1.1.0 openssl without all of the above
>> packages fixed to work with the new API.
>> Feel free to use openssl from the above PPA for test builds only, as
>> it is entirely unsupported PPA and may go away at any point.
>> It is not compatible with neither Ubuntu or Debian nor ever will be,
>> due to overriding of the meta-package to point at 1.1.0 series openssl
>> unconditionally.
>> Timeline:
>> * I hope that TLS WG can standartise TLS 1.3 soon
>> * I hope that OpenSSL team can release 1.1.1 series with TLS 1.3. soon
>> and declare it LTS series
>> * Or at least I hope that OpenSSL team could consider extending 1.1.0
>> series security support timeframe
> This is the big issue. If upstream don't declare the 1.1 series to be their next
> LTS series, we'll be shipping an interim release which could possibly be
> different enough to both 1.0.2 and a future 1.2 that would prevent us from being
> able to maintain it properly. Unless we get assurance from upstream that 1.1
> will be the next LTS, I'd much rather we stay on 1.0.2 which will be supported
> for a longer period.

Note that 1.1.1 and 1.1.0 are binary compatible, yet are treated as
separate series and can have different support time lines.

>> .... so I wish all that for Christmas or a unicorn. I fear, I may end
>> up with a unicorn.
> Can we task the unicorn with backporting openssl fixes? :)

But seriously, can we estimate how much contracting such a unicorn
would cost? And if we can justify it?

Also note, I do not know the status of 1.1.0/1.1.1 series FIPS patches
progress which may be a one more spanner in the works.



ubuntu-devel mailing list
Modify settings or unsubscribe at: