tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Prefer pkgsrc OpenSSL after 2016Q1.



On Tue, Mar 08, 2016 at 07:43:17PM -0500, Greg Troxel wrote:
> 
> coypu%SDF.ORG@localhost writes:
> 
> > Can we do this?
> > A lot of people are using this already, it's very well tested.
> > Asking early to avoid asking late.
> 
> Do what?  Change pkgsrc to blanket always prefer openssl?   I don't
> think we should - there are systems where base system openssl is
> perfectly ok (NetBSD current, NetBSD 7 and soon I expect NetBSD 6 - and
> probably quite a few others).
> 
> Are there specific version/os where you think base openssl is broken
> (and not about to be fixed), but pkgsrc uses it anyway?


Prefer it for NetBSD. sorry for not clarifying.

AFAIK, the current version is vulnerable to DROWN.
Unfortunately OpenSSL broke ABI compatibility so simply updating it in
base is challenging.

If simply updated, it will break most packages.
Here is the discussion of accidentally making a simple update in Gentoo:
https://bugs.gentoo.org/show_bug.cgi?id=576128

pkgsrc has the facilities to handle this, base does not.

The main merit in my opinion is that it makes it very easy to update
for such vulnerabilities - you will be made to update by updating your
packages, even if you don't read the vulnerability reports on a regular
basis.


Home | Main Index | Thread Index | Old Index