Tuesday, 12 December 2017

Road to new openssl

openssl has changed api/abi. Currently Ubuntu ships 1.0.2 LTS series
openssl. Newer api/abi is available as a non-lts 1.1.0 series. Both
1.0.2 and 1.1.0 series will go end of life upstream over the lifetime
of bionic.

TLS 1.3 is currently undergoing standardisation
(https://github.com/tlswg/tls13-spec) But it seems like it is still
being actively iterated on.

The next openssl series is expected to be 1.1.1 and it should be
binary compatible with 1.1.0 series. And 1.1.1 series are expected to
be released with TLS 1.3 support, after it is finalised and published.

In Ubuntu, we would want to avoid shipping two openssl series
simultaneously. Or at least avoid having two series in main.

I have rebuild openssl 1.1.0 package from debian, with modifications
to force provide all -dev packages pointint at 1.1.0 series, to
validate how many outstanding packages in main still do not support
1.1.0 series api/abi in bionic in main.

The failed build logs for main can be seen here:
https://launchpad.net/~xnox/+archive/ubuntu/openssl/+packages?field.name_filter=&field.status_filter=published&field.series_filter=bionic

These are:
bind9
freerdp
linux
nagios-nrpe
net-snmp
openhpi
openssh
pam-p11
ppp
qtbase-opensource-src
ruby2.3
wpa
wvstreams
xchat-gnome

Thus there are 14 packages to fix.

Of which
- ruby2.5 supports the new abi, and it is expected there will be 2.5
transition in Debian/Ubuntu soon
- Qt 5.10 has new abi support, and there is backport branch/patch that
applies to 5.9 series
- openssh is being worked on and is complex, I am hoping for this
solution to work out
https://github.com/openssh/openssh-portable/pull/48
- linux is an unidentified failure, maybe a generic FTBFS

Meaning 10 packages are in the unknown state of progress. I'm not sure
if it is feasible to switch to 1.1.0 openssl without all of the above
packages fixed to work with the new API.

Feel free to use openssl from the above PPA for test builds only, as
it is entirely unsupported PPA and may go away at any point.
It is not compatible with neither Ubuntu or Debian nor ever will be,
due to overriding of the meta-package to point at 1.1.0 series openssl
unconditionally.

Timeline:

* I hope that TLS WG can standartise TLS 1.3 soon

* I hope that OpenSSL team can release 1.1.1 series with TLS 1.3. soon
and declare it LTS series

* Or at least I hope that OpenSSL team could consider extending 1.1.0
series security support timeframe

.... so I wish all that for Christmas or a unicorn. I fear, I may end
up with a unicorn.

--
Regards,

Dimitri.

--
ubuntu-devel mailing list
[email protected]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel