On 18/03/2020 06:08, John D. Baker wrote:
When I dug into this it was because base heimdal links to libssl from openssl and the base system openssl is classed as obselete so pkgsrc insists on installing the supported openssl-1.1.1. The biggest surprise from that install was ending up with a new su binary in /usr/pkg/ which always prompted for a kerberos passwords even when suing from root to another user. I set the option to have the commands prefixed with a k so that the su in /usr/pkg became ksu.After updating to pkgsrc-HEAD and rebuilding packages on a NetBSD/amd64 8.1_STABLE system, I discovered that "security/heimdal" had been installed. So, why is pkgsrc "heimdal" being installed on netbsd-8?
That does leave NetBSD 8 users in a hard place as if a vulnerability is found in the base openssl they have no way of getting a security patch for it unless NetBSD can somehow piggyback on the backport work of the linux distributions like debian and ubuntu. Ubuntu 16 still has openssl 1.0.2 and they are committing to security updates for that until 2024. OpenSSL themselves have dropped support for it.
Mike