Re: Will OpenSSL 1.1l be back ported to 2021Q2?

["J. Lewis Muir" <jlmuir%imca-cat.org@localhost>]

On 09/07, Joerg Sonnenberger wrote:
> On Tue, Sep 07, 2021 at 03:32:46PM -0500, J. Lewis Muir wrote:
> > This is sad, IMO.  An open-source project has certain responsibilities
> > when it comes to security.  NetBSD, for example, has a security team,
> > and the security team addresses discovered security vulnerabilities
> > for the supported branches and releases security advisories.  It seems
> > irresponsible for the pkgsrc project to say that there are only 30 days
> > left in Q2, it's a pain to fix it, so we won't.
> 
> You are ignoring that OpenSSL tiny updates have a long history of
> breaking random things. They *always* need a careful studying of the
> diff to make sure they didn't completely %^$^$ the ABI.

Bummer, didn't know that; thanks for the explanation.  That is
unfortunate, indeed.  A pkgsrc stable branch that wants a patch release
that just fixes the security vulnerability, and an upstream that
makes ABI-breaking changes on the patch release: not a good match.  I
don't know what you do with that.  I guess a fork is needed (a la
GraphicsMagick).

Given what you've said, I think I would treat the OpenSSL situation on
the pkgsrc stable branch as "can't update to the latest patch release
because upstream has a history of providing a patch release that breaks
ABI backward compatibility."

> So yeah, for a CVE that most people will not have to care about, it can
> be difficult to find the motivation and time.

I didn't read the CVE, but I assumed that since Iain said it was given
a "high rating," it would affect a lot of people.  Anyway, even if it
wouldn't affect many people, I would still think it should be addressed,
but as I said above, if upstream has a problem with making patch
releases that break ABI backward compatibility, that's a very difficult
situation, and I don't see a good way to deal with that, and I don't
think the responsibility should fall on pkgsrc developers.

Lewis