On Tue, Nov 23, 2021 at 12:22:32AM -0800, Simon Chopin wrote:
> > Just to add to this, when we do have patches ready, what should be our
> > process to get any security-sensitive backport patches reviewed - in the
> > cases that we're introducing them ahead of an upstream release - to
> > avoid inadvertent security regressions?
>
> Thanks for voicing this. I'm afraid I personnally cannot answer this
> question, as I feel I lack the relevant experience.
>
> However, a first step could perhaps be to document all those patches on
> LP, using the existing tag 'transition-openssl3-jj', and notify upstream
> when we upload unreleased patches, on the relevant PR/MR/thread?
>
> (which would mean I probably have a backlog of notifying to do...)
For MySQL, I have an MP up now, that seems to work:
https://code.launchpad.net/~racb/ubuntu/+source/mysql-8.0/+git/mysql-8.0/+merge/414742
It's already tagged transition-openssl3-jj, and I am in contact with
upstream, but they don't have anything for us yet.
After it gets through my team's usual peer review process, I'll be
blocked from uploading pending a proper review from the perspective of
verifying correct use of the OpenSSL API.
(and if someone does upload from it, please remove my name from it and
corresponding commits first unless it has received that review)
Robie
