Re: OpenSSL 1.1.0

To: debian-devel@lists.debian.org
Subject: Re: OpenSSL 1.1.0
From: Adrian Bunk <bunk@stusta.de>
Date: Thu, 24 Nov 2016 17:16:03 +0200
Message-id: <[🔎] 20161124151603.elnzigqcssigv6vz@bunk.spdns.de>
In-reply-to: <[🔎] 20161124142005.GA31107@x61s.reliablesolutions.de>
References: <[🔎] 20161116174944.mz7rmyb3igzksuiu@bunk.spdns.de> <[🔎] 20161116215317.lwpt7oaexauiz6x2@breakpoint.cc> <[🔎] 20161117111039.en3earxej5fakotp@bunk.spdns.de> <[🔎] 20161121101109.eag7zlnybwiyog6v@mac.home> <[🔎] 20161121130655.GA3748@x61s.reliablesolutions.de> <[🔎] 1479735013.3271507.794517385.7B1EBBB0@webmail.messagingengine.com> <[🔎] 20161123233700.qqx3xvfigny7ed5y@roeckx.be> <[🔎] 20161124015012.GA5102@khazad-dum.debian.net> <[🔎] 20161124135910.j5zpgjdzrqemi3au@bunk.spdns.de> <[🔎] 20161124142005.GA31107@x61s.reliablesolutions.de>

On Thu, Nov 24, 2016 at 03:20:06PM +0100, Jan Niehusmann wrote:
> On Thu, Nov 24, 2016 at 03:59:10PM +0200, Adrian Bunk wrote:
> > If inspection is not easily possible, then adding a dependency on 
> > libssl1.0-dev to qtbase5-private-dev should be sufficient to
> > ensure that this is not leaked to a different OpenSSL version.
> 
> I see two disadvantages:
> 
> 1) doesn't catch cases where a package doesn't depend on libssl at all,
>    but depends on two libraries which in turn use qt and libssl.
>...

I was answering to the "exposes OpenSSL internels (e.g. opaque structs)
in its API" problem.

When every -dev that contains headers exposing OpenSSL internals depends 
on the libssl*-dev it uses, then this problem is solved.

dlopen() is a separate problem.

> But I don't know a better alternative, either.
> 
> Jan

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

Reply to:

References:
- Re: OpenSSL 1.1.0
  - From: Adrian Bunk <bunk@stusta.de>
- Re: OpenSSL 1.1.0
  - From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
- Re: OpenSSL 1.1.0
  - From: Adrian Bunk <bunk@stusta.de>
- Re: OpenSSL 1.1.0
  - From: Tino Mettler <tino.mettler@tikei.de>
- Re: OpenSSL 1.1.0
  - From: Jan Niehusmann <jan@gondor.com>
- Re: OpenSSL 1.1.0
  - From: Henrique de Moraes Holschuh <hmh@debian.org>
- Re: OpenSSL 1.1.0
  - From: Kurt Roeckx <kurt@roeckx.be>
- Re: OpenSSL 1.1.0
  - From: Henrique de Moraes Holschuh <hmh@debian.org>
- Re: OpenSSL 1.1.0
  - From: Adrian Bunk <bunk@stusta.de>
- Re: OpenSSL 1.1.0
  - From: Jan Niehusmann <jan@gondor.com>

Prev by Date: Re: OpenSSL 1.1.0
Next by Date: Re: Let's stop using CVS for debian.org website
Previous by thread: Re: OpenSSL 1.1.0
Next by thread: Re: OpenSSL 1.1.0
Index(es):
- Date
- Thread