[prev in list] [next in list] [prev in thread] [next in thread]
List: ubuntu-devel
Subject: Re: Road to new openssl
From: Dimitri John Ledkov <xnox () ubuntu ! com>
Date: 2017-12-13 12:56:41
Message-ID: CANBHLUjK872SjkATc8p1PhWzo+AbpDLLsX3XcQpea0viD6N8_w () mail ! gmail ! com
[Download RAW message or body]
On 12 December 2017 at 23:15, Marc Deslauriers
<marc.deslauriers@canonical.com> wrote:
> On 2017-12-12 10:59 AM, Dimitri John Ledkov wrote:
> > openssl has changed api/abi. Currently Ubuntu ships 1.0.2 LTS series
> > openssl. Newer api/abi is available as a non-lts 1.1.0 series. Both
> > 1.0.2 and 1.1.0 series will go end of life upstream over the lifetime
> > of bionic.
> >
> > TLS 1.3 is currently undergoing standardisation
> > (https://github.com/tlswg/tls13-spec) But it seems like it is still
> > being actively iterated on.
> >
> > The next openssl series is expected to be 1.1.1 and it should be
> > binary compatible with 1.1.0 series. And 1.1.1 series are expected to
> > be released with TLS 1.3 support, after it is finalised and published.
> >
> > In Ubuntu, we would want to avoid shipping two openssl series
> > simultaneously. Or at least avoid having two series in main.
>
> When we did the switch from 0.9.8 to 1.0.0, we kept 0.9.8 in universe, and that
> was a big mistake. Third party applications and a whole slew of commonly-used
> software from universe were using a version of ssl that didn't get any security
> fixes. It was such a problem that we had to half-maintain it anyway until we
> were no longer able to.
>
openssh needs libcrypto only, I do wonder if we can bastardise 1.0.2
packaging to provide libcrypto only, despite shipping sources to build
everything.
I have not made assesment on how many things need libcrypto alone
without libssl1.0.
> I do not wish to repeat that experience if possible, especially for an LTS
> version of Ubuntu we'll need to support for 5 years. If we do switch to 1.1, I
> would prefer 1.0.2 get removed from universe.
>
As far as I understand the current openssl master is positioned to be
released as a 1.1.1 series, api/abi non-breaking w.r.t. to the current
stable 1.1.0 series.
At one point master did have abi breaks and marked as 1.2, but that
was reverted / fixed up.
But obviously this can change, as it has not been released.
Based on the upstream timings I think they are free to announce next
LTS release and/or change maintenance windows late 2018 or in 2019.
Apart from TLS 1.3, we are missing hw acceleration work that got added
in 1.1.0+ on multiple server architectures.
> Have you done a test rebuild of universe packages?
>
No, but I can do one locally and sync build logs.
> >
> > I have rebuild openssl 1.1.0 package from debian, with modifications
> > to force provide all -dev packages pointint at 1.1.0 series, to
> > validate how many outstanding packages in main still do not support
> > 1.1.0 series api/abi in bionic in main.
> >
> > The failed build logs for main can be seen here:
> > https://launchpad.net/~xnox/+archive/ubuntu/openssl/+packages?field.name_filter=&field.status_filter=published&field.series_filter=bionic
> >
> > These are:
> > bind9
> > freerdp
> > linux
> > nagios-nrpe
> > net-snmp
> > openhpi
> > openssh
> > pam-p11
> > ppp
> > qtbase-opensource-src
> > ruby2.3
> > wpa
> > wvstreams
> > xchat-gnome
> >
> > Thus there are 14 packages to fix.
> >
> > Of which
> > - ruby2.5 supports the new abi, and it is expected there will be 2.5
> > transition in Debian/Ubuntu soon
> > - Qt 5.10 has new abi support, and there is backport branch/patch that
> > applies to 5.9 series
> > - openssh is being worked on and is complex, I am hoping for this
> > solution to work out
> > https://github.com/openssh/openssh-portable/pull/48
> > - linux is an unidentified failure, maybe a generic FTBFS
> >
> > Meaning 10 packages are in the unknown state of progress. I'm not sure
> > if it is feasible to switch to 1.1.0 openssl without all of the above
> > packages fixed to work with the new API.
> >
> > Feel free to use openssl from the above PPA for test builds only, as
> > it is entirely unsupported PPA and may go away at any point.
> > It is not compatible with neither Ubuntu or Debian nor ever will be,
> > due to overriding of the meta-package to point at 1.1.0 series openssl
> > unconditionally.
> >
> > Timeline:
> >
> > * I hope that TLS WG can standartise TLS 1.3 soon
> >
> > * I hope that OpenSSL team can release 1.1.1 series with TLS 1.3. soon
> > and declare it LTS series
> >
> > * Or at least I hope that OpenSSL team could consider extending 1.1.0
> > series security support timeframe
>
> This is the big issue. If upstream don't declare the 1.1 series to be their next
> LTS series, we'll be shipping an interim release which could possibly be
> different enough to both 1.0.2 and a future 1.2 that would prevent us from being
> able to maintain it properly. Unless we get assurance from upstream that 1.1
> will be the next LTS, I'd much rather we stay on 1.0.2 which will be supported
> for a longer period.
>
Note that 1.1.1 and 1.1.0 are binary compatible, yet are treated as
separate series and can have different support time lines.
> >
> > .... so I wish all that for Christmas or a unicorn. I fear, I may end
> > up with a unicorn.
> >
>
> Can we task the unicorn with backporting openssl fixes? :)
>
But seriously, can we estimate how much contracting such a unicorn
would cost? And if we can justify it?
Also note, I do not know the status of 1.1.0/1.1.1 series FIPS patches
progress which may be a one more spanner in the works.
Regards,
Dimitri.
--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: \
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic