v10.x initial LTS release

[MylesBorins]

I've opened nodejs/node#23831 for the initial LTS release of v10.x

In this PR i've opted to not include any changes. We may want to include some minimal changes for things that are very broken, or alternatively follow up with a quick semver patch release.

Thoughts?

[xnox]

How does this relate to nodejs/node#18770 ? In Ubuntu, we had to recently revert node 8 abi to compile against openssl 1.0.2 instead of 1.1.0, to stay compatible with node 8 ecosystem. Will v10.13.0 require openssl 1.1.0 abi, and ideally 1.1.1? Downloading v10.13.0 upstream binary builds I could not tell which openssl abi is in use. Ubuntu is currently in process of upgrading opessl from 1.1.0 to 1.1.1 in bionic, and it is by far the most used ABI in bionic. It is expected that openssl1.0 will be removed from Ubuntu shortly, once the DD-series open for development (to be released in April 2019). If this LTS node requires openssl 1.0.2 it is dead on arrival. I was expecting v11 to become the new LTS. Has there been a change of plans, or am I simply the only one confused?

[xnox]

Debian is likely to remove openssl1.0.2 from the archive soon too. The only remaining blocker is openssh, which has been uploaded is awaiting to be integrated into testing.

[MylesBorins]

@xnox 10.x is currently shipping openssl1.1.0i, and based on nodejs/node#18770 it seems like we can upgrade to 1.1.1 in an LTS minor, but would only be able to support TLS up to 1.2.

8.x and 6.x are still on openssl1.02. 6.x goes end of life April 19' and 8.x goes end of life Dec 19'

We are spinning the release team meetings up again, would you want to participate in a few to work this out? #333

[xnox]

@MylesBorins thank you for the update. My interest in this is time-limited due to managing openssl1.1.1 transition in Ubuntu, on a one-off basis. Let me check and figure out what patches are needed to clamp TLS up to 1.2 and ship that then. Cause that needs to go into 10.x if in Ubuntu we build it against openssl 1.1.1. Note the openssl 1.1.1 for bionic is prepared in https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1797386 with the test archive already available at https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3473

[rvagg]

pretty sure we're going to get 1.1.1 into Node 10, that's the plan anyway and I know Debian is already shipping it against their 1.1.1 shared lib.

[xnox]

@rvagg not quite. It is in progress of being reverted.

https://ftp-master.debian.org/new/nodejs_10.13.0~dfsg-1.html

  * openssl: use bundled copy because node is not compatible
     with openssl 1.1.1 right now (and there is no upstream fix).
     On the plus side:
     + this avoids ABI breakage for C++ addons (Closes: #904274)
     + upstream have security support for openssl vulns
     On the down side, it's a policy 4.13 violation.

In unstable it was compiled against 1.1.1, but ran tests against 1.1.0 because they were failing otherwise.

So there was an attempt to ship with 1.1.1 in Debian, but that has failed.

[rvagg]

/cc @kapouer ^

[kapouer]

@xnox: actually i uploaded nodejs_10.13.0~dfsg-2 some time ago, but it's not appearing in NEW. That's odd. Anyway the changelog is:

  * Upstream patches for openssl 1.1.1 support
  * Build using shared openssl and depend on it again
  * Test suite assumes embedded openssl.cnf

I'll reupload it and hopefully it'll go to experimental, then unstable, soon enough before debian freeze.