[openssl-dev] 0.9.8 support after 31 Dec 2015
Theodore Ts'o
tytso at mit.edu
Tue Jul 21 15:41:51 UTC 2015
Perhaps a good model to take would be how the Linux kernel hands
ancient stable kernels. After a while, Greg K-H stops supporting a
long-term stable kernel. In some cases, a volunteer will step up and
continue supporting some ancient kernel. Those ancient kernels don't
get all bug fixes, and not even all security fixes. What they get is
up to the volunteer.
In the Linux kernel case, those ancient stable kernels are listed on
the front page of www.kernel.org. I sometimes fear that some people
believe that all security fixes make it into, say, 2.6.32, or 3.2 or
3.4. In fact, I'm pretty sure there are cases when they don't, and
one could make the case that the fact those ancient kernels are listed
on the front page is a bad thing since it reduces the pressure on
vendors to upgrade to something more recent and more secure.
Given that OpenSSL is a security-focused product, that might be a
reason why it might not be a good idea to have such kernels advertised
on the front page. But certainly having a single community-supported
ancient release is probably better than multiple independent release
engineers trying to support an ancient release. Much better of course
would be to get everyone to upgrade. :-)
- Ted
More information about the openssl-dev
mailing list