My understanding of the current plan is that we're adding openssl 1.1.0 to unstable, but will make a decision about whether to drop libssl1.0.2 later.
That's really frustrating for the rest of the ecosystem--our users and our upstreams, and I'd ask the release team to commit now to 1.0.2 being available for stretch. At least one of the clusters of packages I'm involved in--shibboleth and moonshot will require some real upstream porting effort. That's under way in a time scale that will work for buster, but is very unlikely to meet the stretch freeze timeline. It's possible that resources could be reprioritized and that with a fairly agressive scramble, we could get things working with OpenSSL 1.1 in time for stretch. However money and time are finite. That would take away from other priorities and would have significant risks in terms of stability. Debian matters in the larger ecosystems, and we owe it to our upstreams and our users to decide now whether we're asking people to make those sort of mad scrambles. I think we should not. Regardless, decisions now matter. Thanks for your consideration, --Sam
