Re: OpenSSL 1.1.0
On Wed, Nov 23, 2016 at 11:50:12PM -0200, Henrique de Moraes Holschuh wrote:
> On Thu, 24 Nov 2016, Kurt Roeckx wrote:
>...
> > > So, if Qt *ever* exposes its use of openssl anywere in its APIs, it
> > > might not be safe. If it doesn't (i.e. at most you have a qt flag that
> > > says "use SSL", etc), then it should be fine.
> >
> > It seems to be doing this in qtbase5-private-dev. Not sure if
> > there are actually any users of it.
>
> If it does, all reverse *build* dependencies would need to be inspected,
> then.
>
> AFAIK, that means they must not link to anything that could link to a
> different libssl than the one used by qt5. If they do, everything needs
> to be inspected down to the details to ensure nothing will ever leak
> openssl contextes and data structures across a library boundary
> (including the application).
If inspection is not easily possible, then adding a dependency on
libssl1.0-dev to qtbase5-private-dev should be sufficient to
ensure that this is not leaked to a different OpenSSL version.
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
Reply to: