[Pkg-openssl-devel] OpenSSL 1.1.0

Ian Jackson ijackson at chiark.greenend.org.uk
Wed Nov 16 12:26:55 UTC 2016 

Ian Jackson writes ("Re: OpenSSL 1.1.0"):
> Lots of people have posted in this thread that they see problems with
> our current approach to the openssl transition.
> 
> Do the openssl maintainers have an response ?

I count the following people who expressed concern[1] about this some
time before the 11th of November (last activity from an openssl
maintainer):

   Lisandro Damin Nicanor Prez Meyer
   Ian Jackson
   Pau Garcia i Quiles
   Colin Tuckley
   Jan Niehusmann

On the 11th Kurt replied, but only to a specific technical aspect of
Jan Niehusmann's message.  (On the 10th there was a second openssl
revision upload.)  It seems to me that there has been no real answer
to most of those comments, and ample time to do so.

Since then I additionally count the following people who have
expressed concern[1]:

   Jan Wagner
   Ondřej Surý
   Adam Borowski
   Russ Allbery
   Dimitri John Ledkov
   Jan Niehusmann
   Adrian Bunk
   Scott Leggett

I appreciate that not everyone can be available all of the time, but
a maintainer has a choice of when to initiate a transition and should
arrange to do so at a time when they can be available in a timely
manner to help steward their transition.

A maintainer should be ready to explain, and if necessary change,
decisions they have taken.  (Ideally wider consultation before taking
such a decision would be better.)

In the absence of input from the openssl maintainers, I would like to
ask the Release Team's opinion.

If we are going to wind back on this change we should do it ASAP.  We
should not allow ourselves to make the decision to press on, simply by
failing to decide otherwise.

If we decide to wind back the transition and the openssl maintainers
continue not to be available (within the short timeframes required),
we have a lot of people who could competently prepare an NMU.

Thanks,
Ian.

[1] I have had to make some judgements about the implications in
people's mails.  "Expresse concern" for me includes suggestions that
the current situation would need a substantial slip to the release.

-- 
Ian Jackson <ijackson at chiark.greenend.org.uk>   These opinions are my own.

If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.

More information about the Pkg-openssl-devel mailing list