pkgsrc-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Will OpenSSL 1.1l be back ported to 2021Q2?
On 09/07, Joerg Sonnenberger wrote:
> On Tue, Sep 07, 2021 at 03:32:46PM -0500, J. Lewis Muir wrote:
> > This is sad, IMO. An open-source project has certain responsibilities
> > when it comes to security. NetBSD, for example, has a security team,
> > and the security team addresses discovered security vulnerabilities
> > for the supported branches and releases security advisories. It seems
> > irresponsible for the pkgsrc project to say that there are only 30 days
> > left in Q2, it's a pain to fix it, so we won't.
>
> You are ignoring that OpenSSL tiny updates have a long history of
> breaking random things. They *always* need a careful studying of the
> diff to make sure they didn't completely %^$^$ the ABI.
Bummer, didn't know that; thanks for the explanation. That is
unfortunate, indeed. A pkgsrc stable branch that wants a patch release
that just fixes the security vulnerability, and an upstream that
makes ABI-breaking changes on the patch release: not a good match. I
don't know what you do with that. I guess a fork is needed (a la
GraphicsMagick).
Given what you've said, I think I would treat the OpenSSL situation on
the pkgsrc stable branch as "can't update to the latest patch release
because upstream has a history of providing a patch release that breaks
ABI backward compatibility."
> So yeah, for a CVE that most people will not have to care about, it can
> be difficult to find the motivation and time.
I didn't read the CVE, but I assumed that since Iain said it was given
a "high rating," it would affect a lot of people. Anyway, even if it
wouldn't affect many people, I would still think it should be addressed,
but as I said above, if upstream has a problem with making patch
releases that break ABI backward compatibility, that's a very difficult
situation, and I don't see a good way to deal with that, and I don't
think the responsibility should fall on pkgsrc developers.
Lewis
Home |
Main Index |
Thread Index |
Old Index