ports requiring OpenSSL not honouring OpenSSL from ports
Jamie Landeg-Jones
jamie at dyslexicfish.net
Sun Apr 27 15:09:03 UTC 2014
One of the first things I do on installing a new machine is install
OpenSSL from ports. I do build with base OpenSSL due to the many programs
that depend on it, but using ports OpenSSL for ports makes things easier
to patch/update.
In the case of Heartbleed, for example, I was able to fix ports OpenSSL
much sooner than base.
In the process, however, I discovered a couple of ports that built against
base even when the port was installed. I was going to supply patches /
notify the maintainers, but first did a check, and discovered that a lot
of current ports do similar.
It turns out that this wasn't a problem specifically, but more generally,
it's possible that someone may think a port has been patched when it hasn't.
Basically what I'm asking: Shouldn't a port that uses OpenSSL *always*
build against the port if it's installed?
I realise this isn't always possible to test, especially if the port Makefile
doesn't have any openSSL configuration options, but I'd like to hear
others opinions on the matter.
[ Not crossposted to ports@ as I'm unsure onbcross-posting etiqurtte, but
feel free to add them in if appropriate ]
Cheers,
Jamie
--
No sig
More information about the freebsd-security
mailing list