Comment 7 for bug 2050017

Revision history for this message
Frank Heimes (fheimes) wrote : Re: [24.04 FEAT] [SEC2339] HSM protected signing support for Apache httpd for openSSL 3.0 with PKCS #11 provider

Since time is progressing and 24.04 FF is coming soon,
let me sum this up a bit and let me extract a few concerns/questions that arose out of this discussion:

a) In such cases Canonical/Ubuntu can take (stable) patches that are upstream accepted.
   However, in this particular case the patch(es) have landed in the 2.5.x devel trunk.
   But support for an LTS release might be granted for up to 12 years these days.
   Hence in this particular case we would need IBMs commitment on the help supporting these
   patches, and especially the ongoing push to get them into stable (which would ease the
   maintenance burden a lot - and is btw. what we usually would require).
b) Even if we talk about 'just' 4 commits (if I got things right):
    https://github.com/apache/httpd/commit/cc796e269d7c4f8d105fa46b590c9301c2a55329
    https://github.com/apache/httpd/commit/2412f20b176ff54538b67088a9e643ffed6e87ae
    https://github.com/apache/httpd/commit/d3a970420f04f9304e202bd1bdc04cbace9bbbd1
    https://github.com/apache/httpd/commit/f5bf0869c7cfd6723f53115c8483737fce53fd2a
   the changes (esp. of cc796e2) are significant.
   1) Can we be sure that no further changes that have made it over time into 2.5.x
      are needed on top (means any add. internal code dependencies) ?
   2) And has this ever be tried with 2.4.x (which would mitigate the above) ?
   3) And would you share the backported version of the commit(s) for the 2.4.x trunk?