From sebastian at breakpoint.cc Thu Oct 12 21:44:43 2017 From: sebastian at breakpoint.cc (Sebastian Andrzej Siewior) Date: Thu, 12 Oct 2017 23:44:43 +0200 Subject: Bug#859829: xml-security-c: Please migrate to openssl1.1 in Buster References: <20170407164257.uesoyv5fdhyb3c24@breakpoint.cc> Message-ID: <20171012214443.kxlre4uz6ribdny3@breakpoint.cc> Hi, this is a remainder about the openssl transition [0]. We really want to remove libssl1.0-dev from unstable for Buster. I will raise the severity of this bug to serious in a month. Please react before that happens. [0] https://bugs.debian.org/871056#55 Sebastian From sebastian at breakpoint.cc Thu Oct 12 21:44:43 2017 From: sebastian at breakpoint.cc (Sebastian Andrzej Siewior) Date: Thu, 12 Oct 2017 23:44:43 +0200 Subject: Bug#859831: xmltooling: Please migrate to openssl1.1 in Buster References: <20170407164426.tnxjf5uily4wdxs4@breakpoint.cc> Message-ID: <20171012214443.pl27mntpwuzmtl53@breakpoint.cc> Hi, this is a remainder about the openssl transition [0]. We really want to remove libssl1.0-dev from unstable for Buster. I will raise the severity of this bug to serious in a month. Please react before that happens. [0] https://bugs.debian.org/871056#55 Sebastian From owner at bugs.debian.org Mon Oct 30 20:36:05 2017 From: owner at bugs.debian.org (Debian Bug Tracking System) Date: Mon, 30 Oct 2017 20:36:05 +0000 Subject: Processed (with 1 error): moonshot-gss-eap cannot migrate to openssl 1.1.0 prior to xmltooling References: <20170407164426.tnxjf5uily4wdxs4@breakpoint.cc> Message-ID: Processing control commands: > affects -1 moonshot-gss-eap Bug #859831 [xmltooling] xmltooling: Please migrate to openssl1.1 in Buster Added indication that 859831 affects moonshot-gss-eap > block -2 with -1 Failed to set blocking bugs of -2: The 'bug' parameter ("-2") to Debbugs::Control::set_blocks did not pass regex check . -- 859831: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859831 Debian Bug Tracking System Contact owner at bugs.debian.org with problems From hartmans at debian.org Mon Oct 30 20:33:38 2017 From: hartmans at debian.org (Sam Hartman) Date: Mon, 30 Oct 2017 16:33:38 -0400 Subject: Bug#859831: moonshot-gss-eap cannot migrate to openssl 1.1.0 prior to xmltooling References: <20170407164426.tnxjf5uily4wdxs4@breakpoint.cc> Message-ID: control: affects -1 moonshot-gss-eap control: block -2 with -1 Hi. I will shortly be uploading a version of moonshot-gss-eap that is happy to build against either openssl 1.1 or openssl 1.0. Unfortunately, it won't actually build against openssl 1.1 because dependencies on libxmltooling-dev will force it to openssl 1.0. So, in order to have a moonshot-gss-eap that builds against openssl 1.1, we'll need to get xmltooling fixed. From cantor.2 at osu.edu Mon Oct 30 20:38:17 2017 From: cantor.2 at osu.edu (Cantor, Scott) Date: Mon, 30 Oct 2017 20:38:17 +0000 Subject: Bug#859831: moonshot-gss-eap cannot migrate to openssl 1.1.0 prior to xmltooling In-Reply-To: References: <20170407164426.tnxjf5uily4wdxs4@breakpoint.cc> <20170407164426.tnxjf5uily4wdxs4@breakpoint.cc> Message-ID: <0D477A9F-284A-43F8-B802-E4DFA0989FE4@osu.edu> On 10/30/17, 4:36 PM, "Pkg-shibboleth-devel on behalf of Sam Hartman" wrote: > So, in order to have a moonshot-gss-eap that builds against openssl 1.1, > we'll need to get xmltooling fixed. The version of Shibboleth that supports 1.1 will be out some time next year, and I can't put much of a time frame on it beyond that. I doubt it will be June, but I also doubt it will be January. -- Scott From hartmans at debian.org Mon Oct 30 20:49:28 2017 From: hartmans at debian.org (Sam Hartman) Date: Mon, 30 Oct 2017 16:49:28 -0400 Subject: Bug#859831: moonshot-gss-eap cannot migrate to openssl 1.1.0 prior to xmltooling In-Reply-To: <0D477A9F-284A-43F8-B802-E4DFA0989FE4@osu.edu> (Scott Cantor's message of "Mon, 30 Oct 2017 20:38:17 +0000") References: <20170407164426.tnxjf5uily4wdxs4@breakpoint.cc> <0D477A9F-284A-43F8-B802-E4DFA0989FE4@osu.edu> <20170407164426.tnxjf5uily4wdxs4@breakpoint.cc> Message-ID: >>>>> "Cantor," == Cantor, Scott writes: Cantor,> On 10/30/17, 4:36 PM, "Pkg-shibboleth-devel on behalf of Cantor,> Sam Hartman" Cantor,> on behalf of hartmans at debian.org> wrote: >> So, in order to have a moonshot-gss-eap that builds against >> openssl 1.1, we'll need to get xmltooling fixed. Cantor,> The version of Shibboleth that supports 1.1 will be out Cantor,> some time next year, and I can't put much of a time frame Cantor,> on it beyond that. I doubt it will be June, but I also Cantor,> doubt it will be January. Nod. I've actually been following this list and am aware of where things stand. Assuming that the SSL maintainers move at the speed they are hoping to move, Shibboleth will be pulled from Debian testing in about a month. My understanding is that the patches already exist, but effort didn't exist within Debian to do a good job of taking those patches ourselves at least the last time this was discussed on the list. Moonshot can technically be built without Shibboleth. That kind of cripples especially the acceptor, but it does build. I'll talk to the moonshot community about whether it would be better for Moonshot to remain out of testing (it got pulled because of an arm64 issue) or whether having a crippled version that works well as a client but not great as a server would be better. From owner at bugs.debian.org Mon Oct 30 20:54:04 2017 From: owner at bugs.debian.org (Debian Bug Tracking System) Date: Mon, 30 Oct 2017 20:54:04 +0000 Subject: Processed: block 848680 with 859831 References: <1509396307-2249-bts-hartmans@debian.org> Message-ID: Processing commands for control at bugs.debian.org: > block 848680 with 859831 Bug #848680 [src:moonshot-gss-eap] moonshot-gss-eap: Please migrate to openssl1.1 in buster 848680 was blocked by: 844836 828608 844815 848680 was blocking: 871056 Added blocking bug(s) of 848680: 859831 > thanks Stopping processing here. Please contact me if you need assistance. -- 848680: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=848680 Debian Bug Tracking System Contact owner at bugs.debian.org with problems From cantor.2 at osu.edu Mon Oct 30 20:53:18 2017 From: cantor.2 at osu.edu (Cantor, Scott) Date: Mon, 30 Oct 2017 20:53:18 +0000 Subject: Bug#859831: moonshot-gss-eap cannot migrate to openssl 1.1.0 prior to xmltooling In-Reply-To: References: <20170407164426.tnxjf5uily4wdxs4@breakpoint.cc> <0D477A9F-284A-43F8-B802-E4DFA0989FE4@osu.edu> <20170407164426.tnxjf5uily4wdxs4@breakpoint.cc> Message-ID: <527352E4-BB45-4C8C-8E2A-8903F99E978A@osu.edu> On 10/30/17, 4:49 PM, "Sam Hartman" wrote: > My understanding is that the patches already exist, but effort didn't > exist within Debian to do a good job of taking those patches ourselves > at least the last time this was discussed on the list. They're also up and down the stack and includes Santuario/xml-sec patches that I'm also stuck making happen, though that should get released probably next month as xml-security 2.0. The scope of the patches are such that I definitely advised them not to try it themselves, and I think they took that advice. -- Scott From wferi at niif.hu Mon Oct 30 22:34:39 2017 From: wferi at niif.hu (Ferenc =?UTF-8?Q?W=C3=A1gner?=) Date: Mon, 30 Oct 2017 23:34:39 +0100 Subject: Bug#859831: moonshot-gss-eap cannot migrate to openssl 1.1.0 prior to xmltooling In-Reply-To: <527352E4-BB45-4C8C-8E2A-8903F99E978A@osu.edu> (Scott Cantor's message of "Mon, 30 Oct 2017 20:53:18 +0000") References: <20170407164426.tnxjf5uily4wdxs4@breakpoint.cc> <0D477A9F-284A-43F8-B802-E4DFA0989FE4@osu.edu> <20170407164426.tnxjf5uily4wdxs4@breakpoint.cc> <527352E4-BB45-4C8C-8E2A-8903F99E978A@osu.edu> <20170407164426.tnxjf5uily4wdxs4@breakpoint.cc> Message-ID: <87tvygw9hc.fsf@lant.ki.iif.hu> "Cantor, Scott" writes: > On 10/30/17, 4:49 PM, "Sam Hartman" wrote: > >> My understanding is that the patches already exist, but effort didn't >> exist within Debian to do a good job of taking those patches >> ourselves at least the last time this was discussed on the list. > > They're also up and down the stack and includes Santuario/xml-sec > patches that I'm also stuck making happen, though that should get > released probably next month as xml-security 2.0. The scope of the > patches are such that I definitely advised them not to try it > themselves, and I think they took that advice. Thanks for summing this up so nicely, Scott. Yes, we're waiting for a new upstream release of the whole stack. OpenSSL 1.1 support will arrive with that. Meanwhile I was pushing for Xerces 3.2, which its maintainer kindly uploaded but it's yet to transition in unstable. XML-Security 2 will require this version, and the current version seems to build with it as well, so we aren't stuck here at least. -- Regards, Feri