'Re: Plans for the upcoming Core Updates'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfire-development
Subject:    Re: Plans for the upcoming Core Updates
From:       Michael Tremer via Development <development () lists ! ipfire ! org>
Date:       2018-02-22 22:45:41
Message-ID: 1519339541.2423.13.camel () ipfire ! org
[Download RAW message or body]

On Thu, 2018-02-22 at 21:07 +0100, Peter Müller wrote:
> Hello Michael,
> > Hello guys,
> > 
> > it has been a bit quiet this week on this list. So here is an update for
> > everyone on where we are with the upcoming Core Updates.
> > 
> > I would also like to remind you that we have a monthly telephone conference for
> > further information that is a bit too much to be written down.
> > 
> > So Core Update 119 is branched and ready to be uploaded into testing very soon.
> > I did not merge OpenSSL into it because I thought that the update would a) get
> > too large, b) is harder to test and c) we have some things in C119 already that
> > should be released very very soon because of security reasons.
> > 
> > So basically C119 updates the toolchain, GCC, glibc on all systems. It has some
> > smaller bug fixes and improvements and that is about it. It is a maintenance and
> > housekeeping update, but that's kind of good that we have that isolated from any
> > new features. We should be able to ship this soon without much friction.
> 
> I thought GCC brings some protection against Spectre ("retpolines")...

Well we do have the right compiler now, but this is not active since
the current kernel doesn't support it.

Userspace has no advantage of this.

> > I openend C120 and merged OpenSSL 1.1.0 into it. With that, we should now look
> > at all applications that use OpenSSL and make sure that we get the best out of
> > it. That means, that we should add all new ciphers that we can use now. We
> > should update cipher suites where ever we ship pre-configured ones, etc.
> 
> Yes, I will take care about the OpenSSL-DEFAULT-cipherlist-patch for 1.1.x so we
> can merge that altogether.

Would you also update the ciphersuite for apache, too?

> Best regards,
> Peter Müller
> > 
> > So please everyone review your patches that you have submitted, update them if
> > necessary and post them (again) to this list within the next week.
> > 
> > Again, I do not think that we should allow a long time to pass before this being
> > uploaded into testing.
> > 
> > Best,
> > -Michael
> 
> 
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic