[Bug 2067384] Re: openssl: merge 3.2.1-3 from unstable

Simon Chopin 2067384 at bugs.launchpad.net
Mon Jun 10 07:45:09 UTC 2024 

** Merge proposal linked:
   https://code.launchpad.net/~adrien/ubuntu/+source/openssl/+git/openssl/+merge/466581

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/2067384

Title:
  openssl: merge 3.2.1-3 from unstable

Status in openssl package in Ubuntu:
  In Progress

Bug description:
  Unstable has openssl 3.2.1 which is need to fix some tests for nodejs
  and some features for cryptsetup and is a good step to 3.3 for 24.10.

  Merge request:
  https://code.launchpad.net/~adrien/ubuntu/+source/openssl/+git/openssl/+merge/466581

  Copied over from the MP for anyone looking for the detailed rationales behind the dropped delta:
  Merge unstable's openssl 3.2.1-1

  Remove most of the delta we have compared to Debian.

  Openssl 3.2 now forbids TLS < 1.2 when at SECLEVEL=2 which we were
  already doing through a patch. This lets us drop patches that implement
  this and those that adapt tests.

  In addition, debian had integrated the support for the noudeb profile
  but we still had some bits related to our diff which we can actually
  drop.

  Debian had reverted a change in the default configuration file that
  broke applications which were using openssl < 3. We had not propagated
  that due to various reasons which don't apply for a new development
  cycle. I will see if the patch can be dropped Debian-side as it mostly
  made sense when openssl versions were likely to be installed alongside
  (i.e. during the transition).

  The AVX-512 patches have been integrated upstream and can be dropped.

  The FIPS patches only make sense during Ubuntu LTS cycles. There is
  value in them but the next LTS cycle is in 18 months and the preferred
  approach is rather to have them merged upstream by then.

  In a private conversation with Tobias (from whom I integrated the FIPS
  patches for Noble), we agreed that we could drop the FIPS patches
  after Noble since they would be useless until 26.04, at which point
  they should have been upstreamed already. Overall it's not very useful
  to keep them around as patches during the releases they're certainly
  not going to be used (it's fine to have them through, say, upstream
  3.4 or 3.5 however).

  All security patches have been integrated.

  The code for reboot notification has been removed too as it was buggy
  and was actually only working on desktops while the original intent was
  to have that code run on servers. Considering there has been no
  specification of what was wanted and how it evolved over the years, it's
  impossible to "fix" so let's just remove it. The right place to
  implement such things is not in postinst scripts.

  There are a few things kept: a symlink for changelog/copyright files,
  using perl:native in autopkgtests depends, and disabling LTO. The
  symlink topic will be looked at later on as there are issues there (the
  targets don't exist!), and I will also attempt to drop using
  perl:native. I will be doing that slightly later on as there are already
  many changes and 3.2 is needed to fix some other tests.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2067384/+subscriptions

More information about the foundations-bugs mailing list