Plans for the upcoming Core Updates

Plans for the upcoming Core Updates

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1512 bytes --]

Hello guys,

it has been a bit quiet this week on this list. So here is an update for
everyone on where we are with the upcoming Core Updates.

I would also like to remind you that we have a monthly telephone conference for
further information that is a bit too much to be written down.

So Core Update 119 is branched and ready to be uploaded into testing very soon.
I did not merge OpenSSL into it because I thought that the update would a) get
too large, b) is harder to test and c) we have some things in C119 already that
should be released very very soon because of security reasons.

So basically C119 updates the toolchain, GCC, glibc on all systems. It has some
smaller bug fixes and improvements and that is about it. It is a maintenance and
housekeeping update, but that's kind of good that we have that isolated from any
new features. We should be able to ship this soon without much friction.

I openend C120 and merged OpenSSL 1.1.0 into it. With that, we should now look
at all applications that use OpenSSL and make sure that we get the best out of
it. That means, that we should add all new ciphers that we can use now. We
should update cipher suites where ever we ship pre-configured ones, etc.

So please everyone review your patches that you have submitted, update them if
necessary and post them (again) to this list within the next week.

Again, I do not think that we should allow a long time to pass before this being
uploaded into testing.

Best,
-Michael

Re: Plans for the upcoming Core Updates

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 1808 bytes --]

Hello Michael,
> Hello guys,
> 
> it has been a bit quiet this week on this list. So here is an update for
> everyone on where we are with the upcoming Core Updates.
> 
> I would also like to remind you that we have a monthly telephone conference for
> further information that is a bit too much to be written down.
> 
> So Core Update 119 is branched and ready to be uploaded into testing very soon.
> I did not merge OpenSSL into it because I thought that the update would a) get
> too large, b) is harder to test and c) we have some things in C119 already that
> should be released very very soon because of security reasons.
> 
> So basically C119 updates the toolchain, GCC, glibc on all systems. It has some
> smaller bug fixes and improvements and that is about it. It is a maintenance and
> housekeeping update, but that's kind of good that we have that isolated from any
> new features. We should be able to ship this soon without much friction.
I thought GCC brings some protection against Spectre ("retpolines")...
> 
> I openend C120 and merged OpenSSL 1.1.0 into it. With that, we should now look
> at all applications that use OpenSSL and make sure that we get the best out of
> it. That means, that we should add all new ciphers that we can use now. We
> should update cipher suites where ever we ship pre-configured ones, etc.
Yes, I will take care about the OpenSSL-DEFAULT-cipherlist-patch for 1.1.x so we
can merge that altogether.

Best regards,
Peter Müller
> 
> So please everyone review your patches that you have submitted, update them if
> necessary and post them (again) to this list within the next week.
> 
> Again, I do not think that we should allow a long time to pass before this being
> uploaded into testing.
> 
> Best,
> -Michael

Re: Plans for the upcoming Core Updates

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 2156 bytes --]

On Thu, 2018-02-22 at 21:07 +0100, Peter Müller wrote:
> Hello Michael,
> > Hello guys,
> > 
> > it has been a bit quiet this week on this list. So here is an update for
> > everyone on where we are with the upcoming Core Updates.
> > 
> > I would also like to remind you that we have a monthly telephone conference for
> > further information that is a bit too much to be written down.
> > 
> > So Core Update 119 is branched and ready to be uploaded into testing very soon.
> > I did not merge OpenSSL into it because I thought that the update would a) get
> > too large, b) is harder to test and c) we have some things in C119 already that
> > should be released very very soon because of security reasons.
> > 
> > So basically C119 updates the toolchain, GCC, glibc on all systems. It has some
> > smaller bug fixes and improvements and that is about it. It is a maintenance and
> > housekeeping update, but that's kind of good that we have that isolated from any
> > new features. We should be able to ship this soon without much friction.
> 
> I thought GCC brings some protection against Spectre ("retpolines")...

Well we do have the right compiler now, but this is not active since
the current kernel doesn't support it.

Userspace has no advantage of this.

> > I openend C120 and merged OpenSSL 1.1.0 into it. With that, we should now look
> > at all applications that use OpenSSL and make sure that we get the best out of
> > it. That means, that we should add all new ciphers that we can use now. We
> > should update cipher suites where ever we ship pre-configured ones, etc.
> 
> Yes, I will take care about the OpenSSL-DEFAULT-cipherlist-patch for 1.1.x so we
> can merge that altogether.

Would you also update the ciphersuite for apache, too?

> Best regards,
> Peter Müller
> > 
> > So please everyone review your patches that you have submitted, update them if
> > necessary and post them (again) to this list within the next week.
> > 
> > Again, I do not think that we should allow a long time to pass before this being
> > uploaded into testing.
> > 
> > Best,
> > -Michael
> 
>