Sam Hartman: > > My understanding of the current plan is that we're adding openssl 1.1.0 > to unstable, but will make a decision about whether to drop libssl1.0.2 > later. > > That's really frustrating for the rest of the ecosystem--our users and > our upstreams, and I'd ask the release team to commit now to 1.0.2 being > available for stretch. > > > [...] > > Debian matters in the larger ecosystems, and we owe it to our upstreams > and our users to decide now whether we're asking people to make those > sort of mad scrambles. > I think we should not. Regardless, decisions now matter. > > Thanks for your consideration, > > --Sam >
Hi Sam, openssl/1.0.2 will remaining in stretch and will be available to the subset of packages that are infeasible to port to openssl/1.1 in time for stretch. All parties promoting ssl1.1 as default for stretch assume that there will be packages left requiring ssl1.0.2. We still urge people to support openssl/1.1 where it is feasible and reasonable to port their packages. openssl/1.0.2 is in the low/old end of "modern cryptography" and the openssl maintainers are not willing to deviate from upstream supported features on that aspect. Thanks, ~Niels
signature.asc
Description: OpenPGP digital signature
