Valid Sender ? - Re: cvs commit: ports/security/openssl Makefile
Kris Kennaway
kris at obsecurity.org
Tue Oct 4 15:05:59 PDT 2005
On Tue, Oct 04, 2005 at 11:04:27PM +0200, Simon Barner wrote:
> [removed cvs-all from Cc:]
>
> Dirk Meyer wrote:
> > Kris Kennaway schrieb:,
> >
> > > > As you might see in the cvs Revision 1.100 is tagged with RELEASE_6_0_0
> > > > The update of openssl 0.9.8 was commited after this.
> > >
> > > And when you commit a fix to some other port and then it has a
> > > security vulnerability, I can't slip the tag without worrying whether
> > > you've broken the package on 6.0 with the previous version of openssl.
> >
> > Yes you can slip the tag on any port that depends on openssl.
> >
> > Thats why we have bsd.openssl.mk.
> >
> > Unless you move the tag there and in openssl itself,
> > all ports will still build with the old openssl 0.9.7g
>
> Hmm, I think Kris meant it like this:
>
> When one upgrades a port P (e.g. openssl) that requires a lot of compatibility
> patches in other ports (API or ABI changes, ...), and _then_ one of the
> other ports (lets call it S) gets a security fix, then you cannot simply
> slip the tag on that port. This is because S contained also the
> compatibility patches, but the tag of port P still points at the old version.
>
> Now, one needs to slip the tag of port P (and also of ports that depend on
> it, and maybe that of ports that depend on ports that depend ... you get
> the idea).
>
> AFAICS there's no way to merge back the security patch only because our
> ports tree is not branched, and it's commonly agreed upon that it will
> never be due to lack of resources.
Yes, in other words the standard objection that is relevant every time
someone makes an API-breaking change during a release slush without
thinking about potential consequences [1].
Kris
[1] If you'd thought about it, you'd have discussed it with us first
to reassure us why it wouldn't be a problem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/cvs-ports/attachments/20051004/731e647d/attachment.bin
More information about the cvs-ports
mailing list