Re: dependency on vulnerable version?

To: Debian-mentors <debian-mentors@lists.debian.org>
Subject: Re: dependency on vulnerable version?
From: Andreas Metzler <ametzler@downhill.at.eu.org>
Date: Thu, 23 Oct 2003 10:48:15 +0200
Message-id: <[🔎] 20031023084815.GA8760@downhill.at.eu.org>
Mail-followup-to: Debian-mentors <debian-mentors@lists.debian.org>
In-reply-to: <[🔎] 1066865170.20571.43.camel@kusturica>
References: <[🔎] 1066865170.20571.43.camel@kusturica>

On Thu, Oct 23, 2003 at 01:26:10AM +0200, Magosányi Árpád wrote:
> Zorp depends on libssl. 
> DSA-393-1 says that libssl 0.9.7c-1 should be okay.
> The shlibs file of libssl0.9.7 contains an unversioned dependency,
> and because of that, zorp's dependency is also not versioned.
 
> Questions:
> -Should I bother to give a dependency to a package version which
>  is without known vulnerability( >= 0.9.7c-1) ?
>  In a security-oriented software?

No.

> -If giving dependency to not-known-vulnerable version is okay,
>  how should I do it in a clean way? In shlibs.local (which I just got
>  rid of;) ?
> -Is it nice behaviour from libssl to give unversioned dependency?

Yes, because it uses the dependency for its intended purpose, to
document binary (in)compatibilty.

Don't try to overload Depends/shlibs with a different meaning.
                   cu and- everthing IMHO -reas
-- 
"See, I told you they'd listen to Reason," [SPOILER] Svfurlr fnlf,
fuhggvat qbja gur juveyvat tha.
Neal Stephenson in "Snow Crash"

Reply to:

References:
- dependency on vulnerable version?
  - From: Magosányi Árpád <mag@bunuel.tii.matav.hu>

Prev by Date: Re: inews package rename
Next by Date: Re: RFS gdal
Previous by thread: dependency on vulnerable version?
Next by thread: RFS: fisg - fast irc statistics generator
Index(es):
- Date
- Thread