Re: Prefer pkgsrc OpenSSL after 2016Q1.

To: tech-pkg%netbsd.org@localhost
Subject: Re: Prefer pkgsrc OpenSSL after 2016Q1.
From: coypu%SDF.ORG@localhost
Date: Wed, 9 Mar 2016 08:18:23 +0000

On Tue, Mar 08, 2016 at 07:43:17PM -0500, Greg Troxel wrote:
> 
> coypu%SDF.ORG@localhost writes:
> 
> > Can we do this?
> > A lot of people are using this already, it's very well tested.
> > Asking early to avoid asking late.
> 
> Do what?  Change pkgsrc to blanket always prefer openssl?   I don't
> think we should - there are systems where base system openssl is
> perfectly ok (NetBSD current, NetBSD 7 and soon I expect NetBSD 6 - and
> probably quite a few others).
> 
> Are there specific version/os where you think base openssl is broken
> (and not about to be fixed), but pkgsrc uses it anyway?

Prefer it for NetBSD. sorry for not clarifying.

AFAIK, the current version is vulnerable to DROWN.
Unfortunately OpenSSL broke ABI compatibility so simply updating it in
base is challenging.

If simply updated, it will break most packages.
Here is the discussion of accidentally making a simple update in Gentoo:
https://bugs.gentoo.org/show_bug.cgi?id=576128

pkgsrc has the facilities to handle this, base does not.

The main merit in my opinion is that it makes it very easy to update
for such vulnerabilities - you will be made to update by updating your
packages, even if you don't read the vulnerability reports on a regular
basis.

Follow-Ups:
- Re: Prefer pkgsrc OpenSSL after 2016Q1.
  - From: Manuel Bouyer

References:
- Prefer pkgsrc OpenSSL after 2016Q1.
  - From: coypu
- Re: Prefer pkgsrc OpenSSL after 2016Q1.
  - From: Greg Troxel

Prev by Date: Re: Prefer pkgsrc OpenSSL after 2016Q1.
Next by Date: Re: Prefer pkgsrc OpenSSL after 2016Q1.
Previous by Thread: Re: Prefer pkgsrc OpenSSL after 2016Q1.
Next by Thread: Re: Prefer pkgsrc OpenSSL after 2016Q1.
Indexes:

Home | Main Index | Thread Index | Old Index