Pau Garcia i Quiles <pgqui...@elpauer.org> writes: > Most upstreams have do not support 1.1.0 yet, and have no plans to > support it in months. This will force Debian maintaners to rewrite > OpenSSL code, which is a very sensitive part and may turn an (upstream) > secure application into an insecure application due to incorrect > patches.
Yeah, Shibboleth upstream had a similar reaction to the ones reported here: they want to work on it, someone has started looking at it, but since 1.0 is supported for several more years, they weren't expecting it to be an immediate issue and weren't planning on pushing to finish the support until late 2017. My guess from seeing the changes for INN is that the vast majority of packages, which use OpenSSL in a glancing or fairly straightforward way, won't be difficult to convert. But security and cryptographic software that uses OpenSSL heavily and makes extensive use of its less common corners may require quite a bit of work. (I think most of it is mechanical, but lots of mechanical changes are also high-risk because they're mind-numbing and it's easy to make a small mistake that slips through unnoticed.) -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
