Why can't we get a proper installation method to keep OpenSSL at the latest revision for Linux?

Jan Just Keijser janjust at nikhef.nl
Mon May 31 09:54:30 UTC 2021


On 30/05/21 14:05, Michael McKenney wrote:
>
> Why can't we get a proper installation method to keep OpenSSL at the 
> latest revision for Linux?
>
> My biggest compliant with Linux is it is so difficult to get best 
> practice installations for services like OpenSSL. Ubuntu is still on 
> 1.1.1f.    I have been trying to upgrade to 1.1.1k.   Openssl version 
> -a states I am on 1.1.1k.   When programs in Wordpress that use 
> OpenSSL show I am using 1.1.1.f.   Spending hours of time on various 
> sites like AskUbuntu.com, only to be disappointed.   Microsoft has 
> best practices guides for installations.   Why can’t we get them for 
> Linux.
>
>
this is both very hard and undesirable:
openssl can be regarded as a low-level system library that is used by 
many applications across the entire Linux distribution. You cannot 
simply upgrade this low-level system library without breaking these 
applications. Admittedly, for an upgrade from 1.1.1f -> 1.1.1k the risk 
of introducing an API change is quite low, but for anything else (e.g. 
1.1.0x -> 1.1.1k) you will almost certainly have to rebuild and relink 
all applications that depend on the OpenSSL libraries.
This is not something you can expect from the Linux distro maintainers. 
For them, it is far less risky to backport security fixes to the version 
of OpenSSL that they built their distro on (e.g. Ubuntu 20 > 1.1.1f; 
CentOS 7 -> 1.0.2k (yes!), etc).

Note that most update woes that Windows 10 has had over the past few 
years were related to library updates breaking applications - so even 
microsoft has problems with "best practices".

HTH,

JJK

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20210531/99fa2179/attachment-0001.html>


More information about the openssl-users mailing list