Date: Tue, 4 Oct 2005 18:05:56 -0400 From: Kris Kennaway <kris@obsecurity.org> To: Simon Barner <barner@FreeBSD.org> Cc: cvs-ports@FreeBSD.org, Dirk Meyer <dirk.meyer@dinoex.sub.org>, Kris Kennaway <kris@obsecurity.org>, ports-committers@FreeBSD.org Subject: Re: Valid Sender ? - Re: cvs commit: ports/security/openssl Makefile Message-ID: <20051004220556.GB64574@xor.obsecurity.org> In-Reply-To: <20051004210427.GA55575@zi025.glhnet.mhn.de> References: <8AYfVTn/WV@dmeyer.dinoex.sub.org> <200510040735.j947Z8rb069549@repoman.freebsd.org> <200510040735.j947Z8rb069549@repoman.freebsd.org> <20051004144319.GA71102@xor.obsecurity.org> <8AYfVTn/WV@dmeyer.dinoex.sub.org> <20051004174511.GA22748@xor.obsecurity.org> <1V%2BRzjn/WV@dmeyer.dinoex.sub.org> <20051004210427.GA55575@zi025.glhnet.mhn.de>
next in thread | previous in thread | raw e-mail | index | archive | help
--p4qYPpj5QlsIQJ0K Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Oct 04, 2005 at 11:04:27PM +0200, Simon Barner wrote: > [removed cvs-all from Cc:] >=20 > Dirk Meyer wrote: > > Kris Kennaway schrieb:, > >=20 > > > > As you might see in the cvs Revision 1.100 is tagged with RELEASE_6= _0_0 > > > > The update of openssl 0.9.8 was commited after this. > > >=20 > > > And when you commit a fix to some other port and then it has a > > > security vulnerability, I can't slip the tag without worrying whether > > > you've broken the package on 6.0 with the previous version of openssl. > >=20 > > Yes you can slip the tag on any port that depends on openssl. > >=20 > > Thats why we have bsd.openssl.mk. > >=20 > > Unless you move the tag there and in openssl itself, > > all ports will still build with the old openssl 0.9.7g >=20 > Hmm, I think Kris meant it like this: >=20 > When one upgrades a port P (e.g. openssl) that requires a lot of compatib= ility > patches in other ports (API or ABI changes, ...), and _then_ one of the > other ports (lets call it S) gets a security fix, then you cannot simply > slip the tag on that port. This is because S contained also the > compatibility patches, but the tag of port P still points at the old vers= ion. >=20 > Now, one needs to slip the tag of port P (and also of ports that depend on > it, and maybe that of ports that depend on ports that depend ... you get > the idea). >=20 > AFAICS there's no way to merge back the security patch only because our > ports tree is not branched, and it's commonly agreed upon that it will > never be due to lack of resources. Yes, in other words the standard objection that is relevant every time someone makes an API-breaking change during a release slush without thinking about potential consequences [1]. Kris [1] If you'd thought about it, you'd have discussed it with us first to reassure us why it wouldn't be a problem. --p4qYPpj5QlsIQJ0K Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDQvzDWry0BWjoQKURAiQfAKCd9VdAcits/tsH2DNqETyDZ58fyACgnP1p hCC6v80D2mIfeindUZm9zz4= =OYv2 -----END PGP SIGNATURE----- --p4qYPpj5QlsIQJ0K--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051004220556.GB64574>