itojun@iijlab.net writes:

> > Could please anyone explain to me why some packages now require
> > the openssl package instead of using the in-tree version?  This
> > leads to two different versions of the same piece of software to
> > be maintained. I searched the archives but have not found any
> > explanation for that.
> 
> 	what version of openssl do you have in-tree? (check
> 	/usr/include/openssl/opensslv.h)
> 	pkgsrc/security/openssl/buildlink.mk detects if in-tree
> 	version is vulnerable or not, so it seems to me that you
> 	have a vulnerable version in-tree.

 You are right, I had a very similar suspicion. But why not to
 simply refuse to build an application against the flawed library
 instead of building silently another version of the same
 library? If you do an automatic build with a lot of interpackage
 dependencies, you might eventually end up with two different
 libraries in your system even not knowing nothing about this fact.

Oleg