[Pkg-bazaar-maint] [Pkg-openssl-devel] Processed: Merge duplicates

Sebastian Andrzej Siewior sebastian at breakpoint.cc
Sat Apr 11 22:53:09 BST 2020

On 2020-04-09 22:55:17 [+0300], Adrian Bunk wrote:
> The only thing I really want is to <censored> OpenSSL upstream for their
> unrivalled incompetence.
> 1.1.1c, 1.1.d, 1.1.1e - these were three point releases on a stable
> branch in a row that contained changes that broke reverse dependencies.

I was around fixing them and in most cases downstream was testing
explicit OpenSSL implementation behaviour (including bugs). So the only
worth mention part was when upstream lost some ciphers in between. Other
than that you make it sound more dramatic than it really is.

Also, side note: If you want to curse, just do it. Get it out of your
system - it might help. *I* really don't mind. I also don't see the
difference between accusing someone (a group of people actually) of
"unrivalled incompetence" and not using a grown up curse word but just
"<censored>" instead (which took me a while to figure that all out).

> > All of them will pop with OpenSSL 3.0 so there is no
> > point in closing them now.
> There's no point in keeping bugs open now for one random out of
> the many breakages OpenSSL 3.0 will deliver - you will hit a much
> larger superset of breakages when you will do the first test
> rebuild of reverse dependencies with the first stable 3.0 release.

So I formed a statement how you can *help* me, as one person of the
openssl packaging team, to improve the situation. I'm not sure who
disagrees here but I'm open to suggestions.

What I miss in your response the technical explanation of why you refuse
to have bug open for a known error within an application. Just because
the behaviour has been reverted does not make things right. Saying that
a lot more bugs will come does not change the fact the known bugs can be
fixed when they are known (which is now).
It has been pointed out, repeatedly, that this suppressed EOF handling
leads to truncation attacks since the reading side does not know (or
check) if the TLS stream has been properly terminated (by the remote
side) or a third party just terminated the TCP stream.

So would you please keep the bugs open, tag them and maybe forward so
the relevant downstream project can look into it?

> cu
> Adrian


More information about the Pkg-bazaar-maint mailing list