Tuesday, 12 December 2017

Re: Road to new openssl

On 2017-12-12 10:59 AM, Dimitri John Ledkov wrote:
> openssl has changed api/abi. Currently Ubuntu ships 1.0.2 LTS series
> openssl. Newer api/abi is available as a non-lts 1.1.0 series. Both
> 1.0.2 and 1.1.0 series will go end of life upstream over the lifetime
> of bionic.
> TLS 1.3 is currently undergoing standardisation
> (https://github.com/tlswg/tls13-spec) But it seems like it is still
> being actively iterated on.
> The next openssl series is expected to be 1.1.1 and it should be
> binary compatible with 1.1.0 series. And 1.1.1 series are expected to
> be released with TLS 1.3 support, after it is finalised and published.
> In Ubuntu, we would want to avoid shipping two openssl series
> simultaneously. Or at least avoid having two series in main.

When we did the switch from 0.9.8 to 1.0.0, we kept 0.9.8 in universe, and that
was a big mistake. Third party applications and a whole slew of commonly-used
software from universe were using a version of ssl that didn't get any security
fixes. It was such a problem that we had to half-maintain it anyway until we
were no longer able to.

I do not wish to repeat that experience if possible, especially for an LTS
version of Ubuntu we'll need to support for 5 years. If we do switch to 1.1, I
would prefer 1.0.2 get removed from universe.

Have you done a test rebuild of universe packages?

> I have rebuild openssl 1.1.0 package from debian, with modifications
> to force provide all -dev packages pointint at 1.1.0 series, to
> validate how many outstanding packages in main still do not support
> 1.1.0 series api/abi in bionic in main.
> The failed build logs for main can be seen here:
> https://launchpad.net/~xnox/+archive/ubuntu/openssl/+packages?field.name_filter=&field.status_filter=published&field.series_filter=bionic
> These are:
> bind9
> freerdp
> linux
> nagios-nrpe
> net-snmp
> openhpi
> openssh
> pam-p11
> ppp
> qtbase-opensource-src
> ruby2.3
> wpa
> wvstreams
> xchat-gnome
> Thus there are 14 packages to fix.
> Of which
> - ruby2.5 supports the new abi, and it is expected there will be 2.5
> transition in Debian/Ubuntu soon
> - Qt 5.10 has new abi support, and there is backport branch/patch that
> applies to 5.9 series
> - openssh is being worked on and is complex, I am hoping for this
> solution to work out
> https://github.com/openssh/openssh-portable/pull/48
> - linux is an unidentified failure, maybe a generic FTBFS
> Meaning 10 packages are in the unknown state of progress. I'm not sure
> if it is feasible to switch to 1.1.0 openssl without all of the above
> packages fixed to work with the new API.
> Feel free to use openssl from the above PPA for test builds only, as
> it is entirely unsupported PPA and may go away at any point.
> It is not compatible with neither Ubuntu or Debian nor ever will be,
> due to overriding of the meta-package to point at 1.1.0 series openssl
> unconditionally.
> Timeline:
> * I hope that TLS WG can standartise TLS 1.3 soon
> * I hope that OpenSSL team can release 1.1.1 series with TLS 1.3. soon
> and declare it LTS series
> * Or at least I hope that OpenSSL team could consider extending 1.1.0
> series security support timeframe

This is the big issue. If upstream don't declare the 1.1 series to be their next
LTS series, we'll be shipping an interim release which could possibly be
different enough to both 1.0.2 and a future 1.2 that would prevent us from being
able to maintain it properly. Unless we get assurance from upstream that 1.1
will be the next LTS, I'd much rather we stay on 1.0.2 which will be supported
for a longer period.

> .... so I wish all that for Christmas or a unicorn. I fear, I may end
> up with a unicorn.

Can we task the unicorn with backporting openssl fixes? :)


ubuntu-devel mailing list
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel