On Wed, 29 Sep 2010 14:13:37 -0700, Kyle Bader wrote:
Debian, being a volunteer organization, has it's upsides and
downsides. The downside here being without an active volunteer
interested in this problem, nothing has happened.
What is needed here is someone to step up to the plate: file some bugs;
try to find the patches; backport and test them; etc. Bottom line,
a little work and communication with maintainers of the affected
packages would go a long way toward resolving this.
That was my initial goal in initiating this conversation. I provided
a link to the patches already:
http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/jaunty/openssl/jaunty-proposed/revision/34
I installed the jaunty package on my lenny machines and the ff error
console warning is gone:
https://debian-lenny.badercom.net/
It appears to work but whenever a package as critical as openssl is
modified it's important to have upstream take a look to make sure
everything looks good. Ubuntu may or may not have done this, I
haven't done the leg work to figure that out but it looks like that
could be the next step. If I/we/whoever can verify this or gain the
blessing of upstream would you consider updating the package Kurt if I
also coordinate this with the Debian apache and nginx packagers?
I could have sworn that renegotion in lenny's openssl was disabled.
But according to the changelog, that looks to not be the case [0].
Based on that, I agree that a DSA should be issued.
Mike
[0]
http://packages.debian.org/changelogs/pool/main/o/openssl/openssl_0.9.8g-15+lenny8/changelog