Comment 7 for bug 2050017

Revision history for this message
Frank Heimes (fheimes) wrote : Re: [24.04 FEAT] [SEC2339] HSM protected signing support for Apache httpd for openSSL 3.0 with PKCS #11 provider

Since time is progressing and 24.04 FF is coming soon,
let me sum this up a bit and let me extract a few concerns/questions that arose out of this discussion:

a) In such cases Canonical/Ubuntu can take (stable) patches that are upstream accepted.
   However, in this particular case the patch(es) have landed in the 2.5.x devel trunk.
   But support for an LTS release might be granted for up to 12 years these days.
   Hence in this particular case we would need IBMs commitment on the help supporting these
   patches, and especially the ongoing push to get them into stable (which would ease the
   maintenance burden a lot - and is btw. what we usually would require).
b) Even if we talk about 'just' 4 commits (if I got things right):
   the changes (esp. of cc796e2) are significant.
   1) Can we be sure that no further changes that have made it over time into 2.5.x
      are needed on top (means any add. internal code dependencies) ?
   2) And has this ever be tried with 2.4.x (which would mitigate the above) ?
   3) And would you share the backported version of the commit(s) for the 2.4.x trunk?