Upcoming OpenSSL updates

Upcoming OpenSSL updates

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 399 bytes --]

On May 25 between 1200–1600UTC, OpenSSL will release some bug-fix
updates:

https://mta.openssl.org/pipermail/openssl-announce/2017-May/000098.html

Apparently, none of the fixes are for security problems.

However, I still think we should apply the update of openssl@1.0.2 with
a graft, if the ABI is unchanged, unless none of the changes are
relevant for GNU / Linux systems.

WDYT?

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Upcoming OpenSSL updates

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 690 bytes --]

On Tue, May 23, 2017 at 12:40:02AM -0400, Leo Famulari wrote:
> On May 25 between 1200–1600UTC, OpenSSL will release some bug-fix
> updates:
> 
> https://mta.openssl.org/pipermail/openssl-announce/2017-May/000098.html
> 
> Apparently, none of the fixes are for security problems.
> 
> However, I still think we should apply the update of openssl@1.0.2 with
> a graft, if the ABI is unchanged, unless none of the changes are
> relevant for GNU / Linux systems.

I thought about it some more, and now I'm not so sure we should start
grafting non-security related bug fixes, in general. For this case,
let's see what the changes are.

I'm still interested in your thoughts!

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Upcoming OpenSSL updates

[Ludovic Courtès]

Leo Famulari <leo@famulari.name> skribis:

> On Tue, May 23, 2017 at 12:40:02AM -0400, Leo Famulari wrote:
>> On May 25 between 1200–1600UTC, OpenSSL will release some bug-fix
>> updates:
>> 
>> https://mta.openssl.org/pipermail/openssl-announce/2017-May/000098.html
>> 
>> Apparently, none of the fixes are for security problems.
>> 
>> However, I still think we should apply the update of openssl@1.0.2 with
>> a graft, if the ABI is unchanged, unless none of the changes are
>> relevant for GNU / Linux systems.
>
> I thought about it some more, and now I'm not so sure we should start
> grafting non-security related bug fixes, in general. For this case,
> let's see what the changes are.

Same here.  I think we should reserve graft for security fixes, or
otherwise serious bug fixes.

I’m surprised that they announce bug-fix-only releases in this way.

Ludo’.

Re: Upcoming OpenSSL updates

[Fox]

better be safe than sorry

Re: Upcoming OpenSSL updates

[Ludovic Courtès]

Fox <firefox@firemail.cc> skribis:

> better be safe than sorry

Please avoid terse messages like this one that contribute very little to
the discussion.  Thanks in advance.

Ludo’.

Re: Upcoming OpenSSL updates

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 823 bytes --]

On Wed, May 24, 2017 at 01:39:17PM +0200, Ludovic Courtès wrote:
> Leo Famulari <leo@famulari.name> skribis:
> > I thought about it some more, and now I'm not so sure we should start
> > grafting non-security related bug fixes, in general. For this case,
> > let's see what the changes are.
> 
> Same here.  I think we should reserve graft for security fixes, or
> otherwise serious bug fixes.

I pushed it to core-updates as 811e10281fc11b514d5a1da2ba5a87e6eb19de5e.

> I’m surprised that they announce bug-fix-only releases in this way.

Me too. I can't figure out how to construct a link to GitHub that will
list the commits in this release; there are 111 commits. The only thing
the OpenSSL maintainers put in 'CHANGES':

* config now recognises 64-bit mingw and chooses mingw64 instead of
mingw.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Upcoming OpenSSL updates

[Marius Bakke]

[-- Attachment #1: Type: text/plain, Size: 505 bytes --]

Leo Famulari <leo@famulari.name> writes:
>> I’m surprised that they announce bug-fix-only releases in this way.
>
> Me too. I can't figure out how to construct a link to GitHub that will
> list the commits in this release; there are 111 commits. The only thing
> the OpenSSL maintainers put in 'CHANGES':

Here is the Github compare view of the two releases (I constructed this
URL manually, not very discoverable!)

https://github.com/openssl/openssl/compare/OpenSSL_1_0_2k...OpenSSL_1_0_2l

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]