dependency on vulnerable version?

To: Debian-mentors <debian-mentors@lists.debian.org>
Subject: dependency on vulnerable version?
From: Magosányi Árpád <mag@bunuel.tii.matav.hu>
Date: 23 Oct 2003 01:26:10 +0200
Message-id: <[🔎] 1066865170.20571.43.camel@kusturica>

Hi!

Yes, its me again with my dumb questions:)

Zorp depends on libssl. 
DSA-393-1 says that libssl 0.9.7c-1 should be okay.
The shlibs file of libssl0.9.7 contains an unversioned dependency,
and because of that, zorp's dependency is also not versioned.

Questions:
-Should I bother to give a dependency to a package version which
 is without known vulnerability( >= 0.9.7c-1) ?
 In a security-oriented software?
-If giving dependency to not-known-vulnerable version is okay,
 how should I do it in a clean way? In shlibs.local (which I just got
 rid of;) ?
-Is it nice behaviour from libssl to give unversioned dependency?

-- 
GNU GPL: csak tiszta forrásból

Reply to:

Follow-Ups:
- Re: dependency on vulnerable version?
  - From: Andreas Metzler <ametzler@downhill.at.eu.org>

Prev by Date: Re: Could someone check this package (osdsh)?
Next by Date: RFS: fisg - fast irc statistics generator
Previous by thread: Re: Could someone check this package (osdsh)?
Next by thread: Re: dependency on vulnerable version?
Index(es):
- Date
- Thread