On Thu, Oct 27, 2016 at 2:39 PM, Antti Järvinen <antti.jarvi...@katiska.org> wrote:
> While patching -DOPENSSL_API_COMPAT=0x10100000L will help a lot but > code changes are still required in addition to this flag, many > applications allocate OpenSSL data-structures in stack and this is not > supported any more, regardless of -DOPENSSL_API_COMPAT. > > This whole "let's shove OpenSSL 1.1 down your throat" is a very bad idea, IMHO. My upstreams (witty and ace) have no plans to support OpenSSL 1.1 in the next months. I do not have enough knowledge with OpenSSL to feel comfortable with my patches. I may end up rendering the software insecure. Does anyone remember the OpenSSL PRNG incident 10 years ago? Are we trying to repeat it? https://www.schneier.com/blog/archives/2008/05/random_number_b.html Really, this does look like a huge mistake. Packagers will produce patches that will generate suboptimal, if not straight insecure, software just for their packages not to be removed, and/or to stop those "hey hey, RC bug on you!" mails. Please, delay the "only 1.1 migration" for 1 year. -- Pau Garcia i Quiles http://www.elpauer.org
