[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#754513: ITP: libressl -- SSL library, forked from OpenSSL

On 07/13/2014 09:48 PM, Mike Hommey wrote:
> On Sun, Jul 13, 2014 at 02:02:18PM +0200, Matthias Urlichs wrote:
>> Hi,
>> Bernhard R. Link:
>>> * Mike Hommey <mh@glandium.org> [140713 12:55]:
>>>> Contrary to what you seem to believe, this only really works if *both*
>>>> libraries have versioned symbols. Otherwise, you can end up with
>>>> libraries linked against the unversioned one using symbols from the
>>>> versioned one at run time when both are loaded in the same address
>>>> space.
>>> Actually, "both having versioned symbols" is not enough.
>>> It is either "both must always have had versioned symbols" or
>>> "both must have versioned symbols now and every binary linked against
>>> either must have been built (or rebuilt) after the symbols got
>>> versioned".
>> Bah. Thanks for the correction.
>> However, it seems that the current OpenSSL package _does_ have
>> fully-versioned symbols, at least if I understand "objdump -T"
>> correctly.
>> So the situation may not be as dire as this thread suggests.
> Well, it kind of is. Because those versioned symbols in openssl come
> from a debian patch, afaict. So while debian may be fine (as long as all
> build-rdeps have been rebuilt since openssl got those versioned
> symbols), other distros aren't covered, as well as binaries not
> compiled on debian.

Why should we care about other distros? Do they have an impact on us?


Reply to: