[openssl-users] [openssl-announce] Forthcoming OpenSSL releases

Jakob Bohm jb-openssl at wisemo.com
Wed Mar 18 10:45:40 UTC 2015

On 18/03/2015 10:14, Matt Caswell wrote:
> On 18/03/15 07:59, Jakob Bohm wrote:
>> (Resend due to MUA bug sending this to -announce)
>> On 16/03/2015 20:05, Matt Caswell wrote:
>>> Forthcoming OpenSSL releases
>>> ============================
>>> The OpenSSL project team would like to announce the forthcoming release
>>> of OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf.
>>> These releases will be made available on 19th March. They will fix a
>>> number of security defects. The highest severity defect fixed by these
>>> releases is classified as "high" severity.
>> Just for clarity in preparing to use the forthcoming
>> update:
>> Has the 1.0.1m source code been mangled by the script that
>> made it near-impossible to port local changes to 1.0.2, or
>> will it retain the same code formatting as in the rest of
>> the 1.0.1 series?
>> Similarly, will 1.0.0r be mangled or will it retain the
>> same code formatting as in the rest of the 1.0.0 series?
>> Similarly, will 0.9.8zf be mangled or will it retain the
>> same code formatting as in the rest of the 0.9.8 series?
> I prefer the term "improved" over "mangled"! ;-)
> The answer is, yes, all branches (including 1.0.1, 1.0.0 and 0.9.8) have
> been reformatted according to the new coding style.
> It is perfectly possible, if a little fiddly, to reformat your local
> patches to the new style. I have done so myself for a number of my own
> patches. I included some outline instructions on how to do it in my
> recent blog post on the reformat:
> https://www.openssl.org/blog/blog/2015/02/11/code-reformat-finished/
Long read, and lots of internal details of how your script
doesn't even work for yourown code...

However the patch rebasing instructions are *completely
useless* for those of us whomaintain private patches
against releases tarballs.  We *don't* have any of this
in a clone of your gitand we *have no way* to access
intermediary git steps from your partially botched
other-work sequence.

I guess each of us will have to spend weeks (or more)
manually recreating all our hard work before we can apply
whatever security fixes are hidden in tomorrows tarball.

And it also seems that it is nearly impossible to turn the
changes into a reviewable patch that can be applied to an
existing tree, like the various distributions (on and off
the vendor-sec lists) will need to.

So let's all hope one of the vendors will do your job for
you and transform the new releases into patches against
the previous tarballs, before the embargo is lifted
tomorrow, or soon after.


Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150318/86c30803/attachment-0001.html>

More information about the openssl-users mailing list