Date: Sun, 27 Apr 2014 16:08:53 +0100 From: Jamie Landeg-Jones <jamie@dyslexicfish.net> To: freebsd-security@freebsd.org Subject: ports requiring OpenSSL not honouring OpenSSL from ports Message-ID: <201404271508.s3RF8sMA014085@catnip.dyslexicfish.net>
next in thread | raw e-mail | index | archive | help
One of the first things I do on installing a new machine is install OpenSSL from ports. I do build with base OpenSSL due to the many programs that depend on it, but using ports OpenSSL for ports makes things easier to patch/update. In the case of Heartbleed, for example, I was able to fix ports OpenSSL much sooner than base. In the process, however, I discovered a couple of ports that built against base even when the port was installed. I was going to supply patches / notify the maintainers, but first did a check, and discovered that a lot of current ports do similar. It turns out that this wasn't a problem specifically, but more generally, it's possible that someone may think a port has been patched when it hasn't. Basically what I'm asking: Shouldn't a port that uses OpenSSL *always* build against the port if it's installed? I realise this isn't always possible to test, especially if the port Makefile doesn't have any openSSL configuration options, but I'd like to hear others opinions on the matter. [ Not crossposted to ports@ as I'm unsure onbcross-posting etiqurtte, but feel free to add them in if appropriate ] Cheers, Jamie -- No sig
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201404271508.s3RF8sMA014085>