Re: dependency on vulnerable version?
On Thu, Oct 23, 2003 at 01:26:10AM +0200, Magosányi Árpád wrote:
> Zorp depends on libssl.
> DSA-393-1 says that libssl 0.9.7c-1 should be okay.
> The shlibs file of libssl0.9.7 contains an unversioned dependency,
> and because of that, zorp's dependency is also not versioned.
> -Should I bother to give a dependency to a package version which
> is without known vulnerability( >= 0.9.7c-1) ?
> In a security-oriented software?
> -If giving dependency to not-known-vulnerable version is okay,
> how should I do it in a clean way? In shlibs.local (which I just got
> rid of;) ?
> -Is it nice behaviour from libssl to give unversioned dependency?
Yes, because it uses the dependency for its intended purpose, to
document binary (in)compatibilty.
Don't try to overload Depends/shlibs with a different meaning.
cu and- everthing IMHO -reas
"See, I told you they'd listen to Reason," [SPOILER] Svfurlr fnlf,
fuhggvat qbja gur juveyvat tha.
Neal Stephenson in "Snow Crash"