Subject: Re: openssl confusion
To: None <email@example.com>
From: Oleg Polyanski <Oleg.Polianski@team.telstraclear.co.nz>
Date: 08/15/2002 17:01:06
> > Could please anyone explain to me why some packages now require
> > the openssl package instead of using the in-tree version? This
> > leads to two different versions of the same piece of software to
> > be maintained. I searched the archives but have not found any
> > explanation for that.
> what version of openssl do you have in-tree? (check
> pkgsrc/security/openssl/buildlink.mk detects if in-tree
> version is vulnerable or not, so it seems to me that you
> have a vulnerable version in-tree.
You are right, I had a very similar suspicion. But why not to
simply refuse to build an application against the flawed library
instead of building silently another version of the same
library? If you do an automatic build with a lot of interpackage
dependencies, you might eventually end up with two different
libraries in your system even not knowing nothing about this fact.