From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: Plans for the upcoming Core Updates Date: Thu, 22 Feb 2018 22:45:41 +0000 Message-ID: <1519339541.2423.13.camel@ipfire.org> In-Reply-To: <20180222210708.67d87fdb.peter.mueller@link38.eu> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4229576289087339634==" List-Id: --===============4229576289087339634== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable On Thu, 2018-02-22 at 21:07 +0100, Peter M=C3=BCller wrote: > Hello Michael, > > Hello guys, > >=20 > > it has been a bit quiet this week on this list. So here is an update for > > everyone on where we are with the upcoming Core Updates. > >=20 > > I would also like to remind you that we have a monthly telephone conferen= ce for > > further information that is a bit too much to be written down. > >=20 > > So Core Update 119 is branched and ready to be uploaded into testing very= soon. > > I did not merge OpenSSL into it because I thought that the update would a= ) get > > too large, b) is harder to test and c) we have some things in C119 alread= y that > > should be released very very soon because of security reasons. > >=20 > > So basically C119 updates the toolchain, GCC, glibc on all systems. It ha= s some > > smaller bug fixes and improvements and that is about it. It is a maintena= nce and > > housekeeping update, but that's kind of good that we have that isolated f= rom any > > new features. We should be able to ship this soon without much friction. >=20 > I thought GCC brings some protection against Spectre ("retpolines")... Well we do have the right compiler now, but this is not active since the current kernel doesn't support it. Userspace has no advantage of this. > > I openend C120 and merged OpenSSL 1.1.0 into it. With that, we should now= look > > at all applications that use OpenSSL and make sure that we get the best o= ut of > > it. That means, that we should add all new ciphers that we can use now. We > > should update cipher suites where ever we ship pre-configured ones, etc. >=20 > Yes, I will take care about the OpenSSL-DEFAULT-cipherlist-patch for 1.1.x = so we > can merge that altogether. Would you also update the ciphersuite for apache, too? > Best regards, > Peter M=C3=BCller > >=20 > > So please everyone review your patches that you have submitted, update th= em if > > necessary and post them (again) to this list within the next week. > >=20 > > Again, I do not think that we should allow a long time to pass before thi= s being > > uploaded into testing. > >=20 > > Best, > > -Michael >=20 >=20 --===============4229576289087339634==--