[Pkg-openssl-devel] Bug#983722: Bug#983722: libssl1.1: drop upgrade support from old-old-old-stable from maintainer script

[Kurt Roeckx]

On Sun, Feb 28, 2021 at 10:00:35PM +0100, Helmut Grohne wrote:
> Hi Kurt,
> 
> On Sun, Feb 28, 2021 at 09:48:04PM +0100, Kurt Roeckx wrote:
> > I think you at least misunderstand the purpose of the script, but
> > we've also not used it in a very long time.
> 
> I think I do understand the purpose, but it does not presently serve the
> stated purpose. Given that the checked version is so ancient, it is
> effectively dead code.

To activate it, the version in the postinst gets updated. But like
I said, it's not been activated in a long time, so maybe it is
dead code.

> > It's meant to restart all services that make use of openssl when a
> > security update is released. I guess I switched to "checkrestart"
> > myself, so never had the need to use it myself anymore.
> 
> That or needrestart. I don't think that the general expectation these
> days is that upgrading a library restarts affected services. Exceptions
> to this rule include nss (libc6) and pam updates as failing to restart
> services can result in them becoming dysfunctional. For most other
> cases, an external checker is the recommended best practice.

I'm not sure users are aware that they need to restart the
services (or reboot) to fix the security issues. We still lack a
way to indicate that to the user. I would really like to see
a general fix for this.

> Unless you wish to reactivate this code with a current version, I think
> it should be deleted. If you do, please close this bug with a wontfix
> tag.

I guess you mean "If you don't".

Anyway, the template code and translations can all be deleted
too if that patch is applied.


Kurt