On Tue, 13 Aug 2002 itojun@iijlab.net wrote:

> > Could please anyone explain to me why some packages now require the
> > openssl package instead of using the in-tree version?  This leads
> > to two different versions of the same piece of software to be
> > maintained. I searched the archives but have not found any
> > explanation for that.

We've actually been doing this for a while, but it only affected a few
packages. Now, with the 1.5.x base libraries vulnerable, it's very
noticable.

> 	what version of openssl do you have in-tree? (check
> 	/usr/include/openssl/opensslv.h)  pkgsrc/security/openssl/buildlink.mk
> 	detects if in-tree version is vulnerable or not, so it seems to me
> 	that you have a vulnerable version in-tree.

There's still no help for netbsd-1-5, is there? Even if openssl-0.9.6g
were to be pulled up, netbsd-1-5 users would still have to rebuild
many packages which use the in-tree openssl, on account of the shared
library major bumps. Not to mention, many people using NetBSD 1.5.2
won't bother to upgrade to 1.5.3 or 1.5.4_ALPHA anyway. 1.6 is looking
very attractive...


Frederick