I was prepared to argue for this change as (if working as intended) it has basically no impact on our own applications and could help quite a few unsuspecting users, but since you asked for evidence I did a little digging, and was somewhat surprised by what I found. While it is true that there are quite a bit of software out there that embeds older versions of OpenSSL, NodeJS are the outliers in pointing to /etc/ssl as their OPENSSLDIR. In fact, even our own package points to /usr/lib/ssl, with symlinks to /etc for the config file and the certificates.
I erroneously thought that the OpenSSL upstream default was also /etc/ssl, but as it turns out they're using the more sensible /usr/local/ssl as a default.
This limits the impact to
1/ third-party packages depending on our old libssl1.1,
2/ our nodejs package
3/ upstream NodeJS builds
I'm not particularly keen on doing this SRU just for the sake of 1/, and 2/ can be fixed in that package, but do we want to break things for 3/ ?
I don't know much about the JS ecosystem. My first Google result for `installing nodejs on Ubuntu` was pretty quick to point me towards `nvm` to "easily install different versions of Node", and that tool seems to download upstream binaries directly.
I'm OK either way, and I've already started working on extending the test case as per your requests.
Many thanks for raising this :)
I was prepared to argue for this change as (if working as intended) it has basically no impact on our own applications and could help quite a few unsuspecting users, but since you asked for evidence I did a little digging, and was somewhat surprised by what I found. While it is true that there are quite a bit of software out there that embeds older versions of OpenSSL, NodeJS are the outliers in pointing to /etc/ssl as their OPENSSLDIR. In fact, even our own package points to /usr/lib/ssl, with symlinks to /etc for the config file and the certificates.
I erroneously thought that the OpenSSL upstream default was also /etc/ssl, but as it turns out they're using the more sensible /usr/local/ssl as a default.
This limits the impact to
1/ third-party packages depending on our old libssl1.1,
2/ our nodejs package
3/ upstream NodeJS builds
I'm not particularly keen on doing this SRU just for the sake of 1/, and 2/ can be fixed in that package, but do we want to break things for 3/ ?
I don't know much about the JS ecosystem. My first Google result for `installing nodejs on Ubuntu` was pretty quick to point me towards `nvm` to "easily install different versions of Node", and that tool seems to download upstream binaries directly.
I'm OK either way, and I've already started working on extending the test case as per your requests.