1 |
El sáb, 09-06-2018 a las 10:22 +0200, Lars Wendler escribió: |
2 |
> |
3 |
> [...[ |
4 |
|
5 |
> some point. |
6 |
> |
7 |
> So, basically openssl is the last big showstopper for openssl-1.1 to |
8 |
> get out of p.mask. There are some inofficial patches floating around in |
9 |
> the WWW but each one of them has some issues and they all are not |
10 |
> really small in size. |
11 |
> Last time I checked, the most complete (but still to some degree |
12 |
> broken) patch had 2800+ LOC and was 80K in size. This is definitely |
13 |
> nothing I want to maintain as downstream, left aside the fact that |
14 |
> openssh should not be messed with lightly regarding security |
15 |
> implications. |
16 |
|
17 |
Why don't try to use RedHat/Fedora patch for openssl-1.1 compat? It seems they |
18 |
are taking care of maintaining that patch on their side |
19 |
|
20 |
> |
21 |
> My biggest concern right now is that openssh might still block |
22 |
> openssl-1.1.1 once that got released. openssl-1.1.1 provides TLSv1.3 |
23 |
> which is something we should provide to our users as soon as possible |
24 |
> and is also targeted as next LTS release. |
25 |
> |
26 |
> |
27 |
> |
28 |
> [1] https://bugs.gentoo.org/592438 |
29 |
> [2] https://bugs.gentoo.org/592578 |
30 |
> |