Best practice for distributions that freeze OpenSSL versions and backports

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Dear team,
It would be nice if there was a user- and security-friendly best practice document for distributions (such as Linux distributions) that freeze on an OpenSSL release version (such as 1.1.1z) and then backport any important fixes. 

Perhaps something like the following:
1. The distributor shall seek to backport as many upstream security fixes as possible and shall sign up to receive advance confidential copies of such code changes to attempt a coordinated release at the same time as the upstream release.
1.1. The version number frozen on should be from the upstream branch with the latest upstream maintenance end date available at the time of freezing the version.
2. Any such backport-patched version (as source, library, shared library, and/or openssl binary shall be provided with a document named: README.fixes with distribution appropriate extension for such files (like .txt or .gz)) listing the following:
2.1 The version number of the most recent upstream release version considered at the time of last document update.
2.2 The version number of the upstream release version chosen as the frozen base, and the date when that choice was made.
2.3 The current differences from that most recent upstream release version, specifying any upstream security advisories and public CVEs not completely fixed, but still listing any and all non-security enhancements not included.
2.4 The current differences from the named frozen base version, with any net changes back and forth cancelled out (thus not a changelog).  Any change fixing a security issue shall list the upstream security advisory and public CVE.
2.5. The distribution maintainers that did the backporting and writing of the document, and (if different) the contact point for reporting issues/bugs in the backport work.
3. The README.fixes document should, if possible, be made available to the upstream project 


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux