We recommend upgrading to Debian 12 ("Bookworm") in anticipation of OpenSSL 1.x EOL

[mthalman]

We recommend upgrading to Debian 12 ("Bookworm") in anticipation of OpenSSL 1.x EOL

.NET users on Debian should consider upgrading to Debian 12 ("Bookworm") in anticipation of OpenSSL 1.x EOL in September 2023. Debian 11 ("Bullseye") ships with OpenSSL 1.x. Debian 12 ("Bookworm") ships with OpenSSL 3.x, which we expect to be officially supported for many years.

Note: Final OpenSSL EOL anouncement

We believe that security conscious users are best served by moving their workloads to an environment with OpenSSL 3.x.

You can move to .NET + Bookworm images by switching to one of the following tags, specific to the .NET version you are using:

• 6.0-bookworm-slim
• 7.0-bookworm-slim
• 8.0-preview-bookwork-slim
• 8.0-preview

You can search for bookworm tags to find other variants.

We expect Debian maintainers to apply OpenSSL 1.x security updates after upstream OpenSSL 1.x support ends, per their lifespan policy. Some users may prefer to continue to use Bullseye, with that same expectation.

The existing 6.0 and 7.0 tags will continue to be updated and reference Debian 11 ("Bullseye") images. The 8.0-preview tag already references Debian 12 ("Bookworm") images.

There is no action for Alpine 3.17+ and Ubuntu 22.04+ users.

• .NET 6 and 7 Ubuntu images — 6.0-jammy and 7.0-jammy — use Ubuntu 22.04, which includes OpenSSL 3.x.
• .NET 6 and 7 Alpine images — 6.0-alpine and 7.0-alpine — use Alpine 3.18+, which includes OpenSSL 3.x.

There is no action for users of .NET 8 images, which exclusively use distro versions that include OpenSSL 3.x.

Context

Our goal is that you have an easy path to staying on supported software versions. At the same time, we aim to maintain high compatibility for existing users.

We will NOT update the 6.0 and 7.0 floating tags to Debian 12. The highest value characteristic of containers is reliability. Our decision making follows from that. Many apps will break due to package version changes if we were to update the 6.0 and 7.0 tags to reference Debian 12 ("Bookworm") images.

Instead, we offer 6.0-bookworm-slim and 7.0-bookworm-slim tags for users that want to adopt Debian 12 ("Bookworm"). You must use those tags explicitly if you want to use Bookworm-base images.

The following are relevant statements from the OpenSSL and Debian projects.

If you got your copy of OpenSSL 1.1.1 from your Operating System vendor (e.g. via .rpm or .deb packages) or some other third party then the support periods that you can expect from them may differ to those provided by the OpenSSL Project itself. You should check with your OS vendor/other third party what support for OpenSSL you might expect from them.

From: https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/

The security team tries to support a stable distribution for about one year after the next stable distribution has been released, except when another stable distribution is released within this year. It is not possible to support three distributions; supporting two simultaneously is already difficult enough.

From: https://www.debian.org/security/faq#lifespan

Key Information

Debian releases:

• Debian Release Wiki
• Debian Releases

.NET releases:

• .NET Releases
• .NET Release Policies

Key dates:

• 9/11/2023: OpenSSL 1.x EOL
• 11/2023: .NET 8 GA
• 5/14/2024: .NET 7 EOL
• ~7/2024: Debian 11 EOL
• 11/2024: .NET 6 EOL

Key facts:

• .NET 6+ supports both OpenSSL 1.x and 3.x.
• Debian 11 ("Bullseye") offers/includes OpenSSL 1.x.
• Debian 12 ("Bookworm") offers/includes OpenSSL 3.x.
• The Debian security update policy states that Bullseye will remain supported after Bookworm is released.
• We may close OpenSSL 1.x issues and CVE reports after OpenSSL 1.x is EOL.

Bullseye EOL

A similar situation will occur in July 2024, when Debian 11 ("Bullseye") is End of Life, while .NET 6 is still supported. At that time, we will continue to update the 6.0 tag with Debian 11 ("Bullseye") based images. This situation repeats itself every two years, due to the way that .NET and Debian releases align. We think our approach satisfactorily balances compatibility, security, and user choice.