Monday, 29 January 2018

Re: Road to new openssl

On 12 December 2017 at 21:23, Steve Langasek <[email protected]> wrote:
>
> On Tue, Dec 12, 2017 at 03:59:50PM +0000, Dimitri John Ledkov wrote:
> > openssl has changed api/abi. Currently Ubuntu ships 1.0.2 LTS series
> > openssl. Newer api/abi is available as a non-lts 1.1.0 series. Both
> > 1.0.2 and 1.1.0 series will go end of life upstream over the lifetime
> > of bionic.
> >
> > TLS 1.3 is currently undergoing standardisation
> > (https://github.com/tlswg/tls13-spec) But it seems like it is still
> > being actively iterated on.
> >
> > The next openssl series is expected to be 1.1.1 and it should be
> > binary compatible with 1.1.0 series. And 1.1.1 series are expected to
> > be released with TLS 1.3 support, after it is finalised and published.
> >
> > In Ubuntu, we would want to avoid shipping two openssl series
> > simultaneously. Or at least avoid having two series in main.
> >
> > I have rebuild openssl 1.1.0 package from debian, with modifications
> > to force provide all -dev packages pointint at 1.1.0 series, to
> > validate how many outstanding packages in main still do not support
> > 1.1.0 series api/abi in bionic in main.
> >
> > The failed build logs for main can be seen here:
> > https://launchpad.net/~xnox/+archive/ubuntu/openssl/+packages?field.name_filter=&field.status_filter=published&field.series_filter=bionic
> >
> > These are:
> > bind9
>
> Fixed in Debian unstable; Server Team will merge it this cycle.
>

In progress

> > freerdp
>
> Fix available upstream: https://github.com/FreeRDP/FreeRDP/issues/3098
>

To cherrypcik

> > linux
> > nagios-nrpe
>
> Looks like we have an Ubuntu delta for OpenSSL 1.0 compatibility which could
> be easily dropped
> (https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1715167)
>

Easy to fix

> > net-snmp
>
> Patch available in Debian BTS, was deferred for stretch:
> https://bugs.debian.org/828449
>

Fixed.

> > openhpi
>
> Debian bug, no patch: https://bugs.debian.org/859543
>

Fixed.

> > openssh
>
> As discussed.
>
> > pam-p11
>
> Debian bug, no patch: https://bugs.debian.org/871939
> Upstream issue open: https://github.com/OpenSC/pam_p11/issues/6
>

Upload the fix to debian, will sync.

> > ppp
>
> Ubuntu-specific build failure due to non-upstreamed eap-tls patch. Patch
> author has new version of patch available at
> https://www.nikhef.nl/~janjust/ppp/download.html for OpenSSL 1.1.
>

Todo.

> > qtbase-opensource-src

Todo, there is a patch available for OpenSSL 1.1 compat backport for
this series in Fedora I believe.

> > ruby2.3

ruby2.5 is in universe, transition to do.

> > wpa
>
> New version available in Debian unstable with support for openssl 1.1.
>

Fixed.

> > wvstreams
>
> Debian bug, no patch: https://bugs.debian.org/859791
> Unclear where the current 4.6.1 release originated from, the packaging
> points to https://github.com/apenwarr/wvstreams for the upstream but this
> has 4.3 as the last upstream release in 2010 and no commits since 2010.
> wvstreams is in main for wvdial, seeded on the live image, a decision last
> reviewed in 2010
> (https://bugs.launchpad.net/ubuntu/+source/ubuntu-meta/+bug/400573). This
> should probably be reviewed for 18.04.
>

Proposing to demote to universe.

With above all done, it is feasible to ship openssl1.1 and openssl1.0
in bionic. With openssh the last remaining package using openssl1.0 in
main.

TLS had one more last call for the next draft of TLS1.3 to be published.
https://www.ietf.org/mail-archive/web/tls/current/msg25263.html

OpenSSL published an update
https://www.openssl.org/blog/blog/2018/01/18/f2f-london/ which does
state that everyone should move to 1.1.0 and that next series will be
1.1.1 with TLS1.3 support and hence api/abi compatible with 1.1.0
series.

I would like to make a call for openssl1.1 inclusion in Bionic main.

Regards,

Dimitri.

--
ubuntu-devel mailing list
[email protected]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel