Adrian Bunk <b...@stusta.de> schrieb: > On Tue, Nov 15, 2016 at 09:37:01AM -0300, Lisandro Damián Nicanor Pérez Meyer > wrote: >> On lunes, 14 de noviembre de 2016 16:51:04 ART Marco d'Itri wrote: >> > On Nov 14, Lisandro Damián Nicanor Pérez Meyer <perezme...@gmail.com> >> > wrote: >> > > And yes, I would step back and switch libssl-dev to provide libssl1.0-dev >> > > and have libssl1.1-dev around for anyone who can really do the switch. >> > I would not: OpenSSL 1.0 does not support ChaCha20 so it would be a very >> > bad default for next year's release. >> > Bad enough that I would have to use a different distribution for some >> > web servers. >> >> That's why I wrote: >> >> And if we **really** need to switch to libssl1.1 then we **really** need to >> delay the release by 6 months as a very minimum, maybe 1 year. >> >> Yes, I also know that it sounds awful, but do we have another way out? > > Yes, patching the OpenSSL 1.1 features that are really needed into the > Debian OpenSSL 1.0.2 package. > > For ChaCha20 that's existing patches that are already being used > elsewhere.
That's not an option, while there's an external patch for chacha20/poly by cloudflare it hasn't been upstreamed and we cannot cover it with security support in a meaningful manner. And other features are not backportable at all. Kurt has already asked who would do the backports and support them in https://lists.debian.org/debian-release/2016/10/msg00609.html, so stop pretending that's a genuine option.
