[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: dependency on vulnerable version?

On Thu, Oct 23, 2003 at 01:26:10AM +0200, Magosányi Árpád wrote:
> Zorp depends on libssl. 
> DSA-393-1 says that libssl 0.9.7c-1 should be okay.
> The shlibs file of libssl0.9.7 contains an unversioned dependency,
> and because of that, zorp's dependency is also not versioned.
> Questions:
> -Should I bother to give a dependency to a package version which
>  is without known vulnerability( >= 0.9.7c-1) ?
>  In a security-oriented software?


> -If giving dependency to not-known-vulnerable version is okay,
>  how should I do it in a clean way? In shlibs.local (which I just got
>  rid of;) ?
> -Is it nice behaviour from libssl to give unversioned dependency?

Yes, because it uses the dependency for its intended purpose, to
document binary (in)compatibilty.

Don't try to overload Depends/shlibs with a different meaning.
                   cu and- everthing IMHO -reas
"See, I told you they'd listen to Reason," [SPOILER] Svfurlr fnlf,
fuhggvat qbja gur juveyvat tha.
Neal Stephenson in "Snow Crash"

Reply to: