The following reply was made to PR bin/31120; it has been noted by GNATS.

From: brian@surge.insomnia.org
To: gnats-bugs@NetBSD.org
Cc: gnats-admin@NetBSD.org, netbsd-bugs@NetBSD.org, zafer@gmx.org
Subject: Re: bin/31120 (update openssl in 3beta)
Date: Wed, 7 Jun 2006 20:06:37 -0400 (EDT)

 Has there been any thought to taking a hybrid type approach whereby netbsd 
 ships some version of openssl, ssh, what have you, but also fakes a pkg 
 install of it, and keeps the latest version in pkgsrc so it can be updated 
 should a customer so desire?
 
 On Wed, 7 Jun 2006, Christos Zoulas wrote:
 
 > Date: Wed,  7 Jun 2006 23:15:05 +0000 (UTC)
 > From: Christos Zoulas <christos@zoulas.com>
 > Reply-To: gnats-bugs@NetBSD.org
 > To: gnats-admin@NetBSD.org, netbsd-bugs@NetBSD.org, zafer@gmx.org
 > Subject: Re: bin/31120 (update openssl in 3beta)
 > 
 > The following reply was made to PR bin/31120; it has been noted by GNATS.
 >
 > From: christos@zoulas.com (Christos Zoulas)
 > To: gnats-bugs@NetBSD.org, gnats-admin@netbsd.org,
 > 	netbsd-bugs@netbsd.org, zafer@gmx.org
 > Cc:
 > Subject: Re: bin/31120 (update openssl in 3beta)
 > Date: Wed, 7 Jun 2006 19:12:41 -0400
 >
 > On Jun 7, 11:00pm, woods@weird.com ("Greg A. Woods") wrote:
 > -- Subject: Re: bin/31120 (update openssl in 3beta)
 >
 > |  That seems like a very much less than ideal approach to maintenance.
 > |
 > |  People will no doubt be running systems built from the NetBSD-3 branch
 > |  in production for years yet to come, and for something as central to
 > |  many security-related applications as OpenSSL is, it would seem
 > |  important to keep it as up to date as possible in _all_ supported
 > |  branches.
 >
 > Greg, what version is running on 3.0? Are there any known vulnerabilities
 > against it? The problem is that openssl is such a large package, and it
 > affects other things (ssh), so we have to weigh the risk/benefit of the
 > upgrade.
 >
 > christos
 >
 >