Distro patches
As a representative of the Distribution community, I want to raise a topic that I consider important for distributions and probably also large businesses.
Almost none of us uses vanilla OpenSSL. Each distro has a set of patches designed to cover real-life requests of our customers. These patches, as a rule, are of reasonable quality because they are used by a large number of customers and don’t have obvious bugs. On the other hand these patches are not probably reviewed as thoroughly as the upstream code is. Rebasing these patches to a new release often takes a lot of effort.
I think it would be a win-win situation if we (Linux distros) could push some of our patches upstream. Upstream will get fixes and changes really requested by users, and downstreams will be able to reduce their maintenance efforts.
I understand that the review process is one of the bottlenecks when it comes to real-life pull requests. One of possible options may be nominating the OpenSSL distro maintainers to committers. Other options can be some cross-reviews between distros.
Randall Becker Thu 23 Jan 2025 2:14PM
Would it not be more appropriate to have forks for each custom distro? We did that on NonStop for both the 1.0.2 and 1.1.1 series until our patches were accepted into the main code-base. I agree that anything of general usefulness should be ultimately approved. I also get that if someone wants FIPS certification/compliance, they do need to build off a known commit (ideally). Is this a FIPS requirement?
Dmitry Belyavsky Thu 23 Jan 2025 2:27PM
Tomas, I agree that some patches are distro specific, some are backports etc. Those will be either rejected or even nt proposed.
Randall, yes, I also have a similar background. It is quite inconvenient.
Tomas Mraz · Thu 23 Jan 2025 1:59PM
From my knowledge of Fedora/RHEL distro patches (and it is not up-to-date but from the times I was still at Red Hat), the problem was not that the distro patches would have low quality and be untested or wrong. The main problem with these patches was that they were really distro-specific, in many cases they did not care about working in other environments than the actual distro they were targeted at, etc. I do not think the main problem would be with reviews. The main problem would be to make the patches useful for more than just a small set of distros and buildable for everyone. But I definitely support this effort for all the patches which are more universally useful.