[15:06] <teward> mdeslaur: and the rest of sec team, are you on the ubuntu-devel-discuss list?  A question RE: OpenSSL versions came up and which to use, and i think that has security impact so wanting to make sure you all are on the list of people who get the message.
[15:14] <mdeslaur> teward: thanks, I answered already
[15:19] <teward> mdeslaur: yep just saw your email come in thanks, wasn't sure if someone was already looking :)
[15:20] <teward> mdeslaur: the last time I think OpenSSL got backported/SRU'd was for 3.0 or something no?  It was some non-standard LTS-only special case IIRC and it was a while ago
[15:20] <teward> and i do remember it caused some level of chaos.
[15:24] <mdeslaur> there was bionic, but we had also attempted to do it other times without actually going through with it
[15:29] <teward> yeah bionic is what i was thinking about
[15:29] <teward> any changes to core things like OpenSSL or Python that touches a ton of core things is a nasty evil thing so :p
[15:30] <teward> (python, perl, that kind of thing too)
[15:30] <JanC> Python has the advantage that you can  have multiple versions in parallel...
[15:33] <teward> JanC: accurate, unless you do a stupid and try and switch out the 'newer' versions for the system installed libraries, in which case it blows up a lot of things in base installations
[15:33] <teward> which too many end users do :\
[15:34] <teward> i personally leverage pyenv (https://github.com/pyenv/pyenv) to do userspace installs independent of system libs, but that's just me.
[15:34] <teward> (i have python 3.8 through 3.11 on this system thanks to it xD)
[15:38] <JanC> you can have multiple versions installed in parallel system-wide too, although only one can be 'python' at the same time, of course
[15:38] <teward> true
[15:38] <teward> JanC: but most of the things like add-apt-repository are built upon / dependent upon / assumed to always  be on the default system installed python.
[15:38] <JanC> I don't think OpenSSL supports that (upstream)
[15:39] <teward> it doesn't but i was talking about python
[15:40] <teward> just pulling an example of repo stuff being chaotic that way
[15:40] <teward> because it torched someone's Lubuntu install :p
[15:40] <teward> (they yanked out py 3.7 on the version they installed, installed py 3.10, and now have a ton of apt related errors)
[15:40] <teward> apt / python*
[15:42] <JanC> while they could just install it in parallel & use it as 'python3.10'... (or use some virtual/userspace environment instead)
[15:43] <teward> which is what I always tell people :P
[15:43] <JanC> maybe system tools should use/depend on explicit versions too? (too be more resilient)
[15:44] <teward> the problem is, end users are a little annoying
[15:44] <teward> and assume that because they can do somehting it's just going to work
[15:49] <JanC> maybe distros could have a 'syspython', and have system tools use/depend on that or something  :)
[15:57] <teward> JanC: That's... actually a good idea, I should consider posting that on ubuntu-devel-discuss.
[15:58] <mdeslaur> bionic has two different openssl version in it currently, both installable in parallel
[15:59] <teward> mdeslaur: right, but that's unique to Bionic, right?
[15:59] <mdeslaur> once in a while a release has two
[15:59] <mdeslaur> trusty has two also
[16:00] <JanC> so openssl upstream supports that, or only in some cases? (when the ABI version changes?)
[16:01] <mdeslaur> we stuck it in an alternate directory
[16:01] <mdeslaur> I don't think upstream supports it
[16:02] <mdeslaur> actually, maybe the library name didn't actually conflict
[16:03] <mdeslaur> ah yes, it was different major versions, so the library didn't conflict, we just had to move the tools to an alternate directory