Hi. On Mon, Nov 05, 2018 at 06:18:00AM +0100, Harald Dunkel wrote: > On 11/3/18 4:42 PM, Reco wrote: > > Hi. > > > > On Sat, Nov 03, 2018 at 03:37:06PM +0100, Harald Dunkel wrote: > >> > >> I don't see a short release cycle as a bad feature. Its a sign of > >> active and agile development. > > > > And in Debian stable that also means that it's close to impossible to > > backport security fixes to chosen version (because it's "too old"). > > Updating such fundamental library can (and probably *will*) lead to > > API/ABI breakage. While tolerable at sid/testing, such things are > > frowned upon at stable. > > Thats a home-made problem affecting many packages in Debian, RedHat EL, > and others.
Yet that's a price they agree to pay for a predictable software behaviour during a lifecycle of a single major release. And that's IBM EL now. RedHat's selling out. > >> Openssl has a bad reputation for introducing security problems, > >> partly due to its complex and "dangerous code", which was the > >> major reason for the fork. > >> https://en.wikipedia.org/wiki/LibreSSL#History > > > > As long as it's used - they will search for vulnerabilities in there. > > And they will find them. PHP has even worse reputation in this regard, > > for example, yet you still see people who are using PHP. > > Thats the point. AFAICT there are many alternatives to php. Its upstream's > job to decide which scripting language to chose. But there are no alternatives to PHP that match it's (possibly passing) popularity. > Debian can chose to include the source packages (php or the tools > using it) into the distro. Likewise we have two alternatives to openssl in Debian right now. Gnutls and NSS. Unlike LibreSSL, they produce stable versions. > For opensmtpd (the package I am interested in) upstream has decided to > ditch openssl in favor of libressl. Now Debian has several options in this > case: > > - add libressl to Debian > - stick to the old opensmtpd 6.0.3 and openssl and backport security fixes > - modify opensmtpd 6.4 to make it work with openssl > - drop opensmtpd I add fifth. Embed libressl into Debian package of opensmtpd. It's happened before. Reco
