Jakub Jelen wrote:
On 11/15/2016 12:02 AM, Damien Miller wrote:
On Mon, 14 Nov 2016, Jakub Jelen wrote:
Thank you for the comments. I understand the upstream directions and
that the OpenSSL step is not ideal. The distros will probably have to
carry these patches until the changes will settle down a bit.
AFAIK Red Hat employs at least one OpenSSL maintainer. What is their
view on this situation?
Yes, you got a message off-the-list from Tomas Mraz, our OpenSSL
maintainer, one week ago. The OpenSSL certainly wants to resolve these
issues from their side (compat library in addition to 1.0.2 from
OpenSSL side).
I don't think that this is so important. Each project has specific use
of crypto library and is not so difficult to write compatibility layer.
I know a number of projects that already has such layer.
But that will not help us with compatibility against LibreSSL if I see
right.
If compatibility layer is written properly OpenSSL compatible libraries
will be supported as well.
For instance PKIX-SSH mainly tests for the presence of each feature and
as result supported builds with various OpenSSL versions, including FIPS
or Kerberos enable. Such tests ensure builds with OpenSSL compatible
libraries.
Using cryptographic library A or B version c or d and etc. depends of
many things. One criteria is that know defects are fixed, but this is
off-topic to OpenSSL API 1.1 support.
Just one remark: Long time ago OpenSSL team announce plan to hide
structures to ensure better compatibility between releases. Team miss
1.0 release but now this is fact.
Regards,
Roumen Petrov
--
Secure shell with X.509 certificate support
http://roumenpetrov.info/secsh/
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
