On Friday, 18 November 2016 22:22:59 CET Moritz Mühlenhoff wrote: > Adrian Bunk <b...@stusta.de> schrieb: > > And/or get sponsorship from companies for supporting ChaCha20-patched > > 1.0.2 > > It's not a matter of whipping up some patch; anything less than an > official backport of chacha20 into a 1.0.2x release is not going > to be supportable.
I am sure Redhat will be interested in that as well. So release now with 1.0.2 without ChaCha20 and upgrade openssl in a point release when/if 1.0.2 supports ChaCha20. That or delay the release by a few months. BTW, just because an openssl-using app/lib does not export an interface that allows access of openssl-related internals does not mean that no other lib or plugin messes with those internals. For example, for apache2 there is gridsite which uses mod_ssl private interfaces and a private copy of a header from the apache2 sources to get access to the SSL context. Finding all such issues in all packages will take time. Cheers, Stefan
