Best practice for distributions that freeze OpenSSL versions and backports

Jakob Bohm jb-openssl at wisemo.com
Tue Jun 8 12:59:05 UTC 2021


Dear team,

It would be nice if there was a user- and security-friendly best 
practice document for distributions (such as Linux distributions) that 
freeze on an OpenSSL release version (such as 1.1.1z) and then backport 
any important fixes.

Perhaps something like the following:

1. The distributor shall seek to backport as many upstream security 
fixes as possible and shall sign up to receive advance confidential 
copies of such code changes to attempt a coordinated release at the same 
time as the upstream release.

1.1. The version number frozen on should be from the upstream branch 
with the latest upstream maintenance end date available at the time of 
freezing the version.

2. Any such backport-patched version (as source, library, shared 
library, and/or openssl binary shall be provided with a document named: 
README.fixes with distribution appropriate extension for such files 
(like .txt or .gz)) listing the following:

2.1 The version number of the most recent upstream release version 
considered at the time of last document update.

2.2 The version number of the upstream release version chosen as the 
frozen base, and the date when that choice was made.

2.3 The current differences from that most recent upstream release 
version, specifying any upstream security advisories and public CVEs not 
completely fixed, but still listing any and all non-security 
enhancements not included.

2.4 The current differences from the named frozen base version, with any 
net changes back and forth cancelled out (thus not a changelog).  Any 
change fixing a security issue shall list the upstream security advisory 
and public CVE.

2.5. The distribution maintainers that did the backporting and writing 
of the document, and (if different) the contact point for reporting 
issues/bugs in the backport work.

3. The README.fixes document should, if possible, be made available to 
the upstream project


Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded	



More information about the openssl-users mailing list