From owner-cvs-ports@FreeBSD.ORG Tue Oct 4 22:05:59 2005 Return-Path: X-Original-To: cvs-ports@FreeBSD.org Delivered-To: cvs-ports@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6E05716A41F; Tue, 4 Oct 2005 22:05:59 +0000 (GMT) (envelope-from kris@obsecurity.org) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1C95B43D46; Tue, 4 Oct 2005 22:05:59 +0000 (GMT) (envelope-from kris@obsecurity.org) Received: from obsecurity.dyndns.org (CPE0050040655c8-CM00111ae02aac.cpe.net.cable.rogers.com [70.30.70.180]) by elvis.mu.org (Postfix) with ESMTP id ED51C1A3C1D; Tue, 4 Oct 2005 15:05:58 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 81DE05152B; Tue, 4 Oct 2005 18:05:56 -0400 (EDT) Date: Tue, 4 Oct 2005 18:05:56 -0400 From: Kris Kennaway To: Simon Barner Message-ID: <20051004220556.GB64574@xor.obsecurity.org> References: <8AYfVTn/WV@dmeyer.dinoex.sub.org> <200510040735.j947Z8rb069549@repoman.freebsd.org> <200510040735.j947Z8rb069549@repoman.freebsd.org> <20051004144319.GA71102@xor.obsecurity.org> <8AYfVTn/WV@dmeyer.dinoex.sub.org> <20051004174511.GA22748@xor.obsecurity.org> <1V+Rzjn/WV@dmeyer.dinoex.sub.org> <20051004210427.GA55575@zi025.glhnet.mhn.de> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="p4qYPpj5QlsIQJ0K" Content-Disposition: inline In-Reply-To: <20051004210427.GA55575@zi025.glhnet.mhn.de> User-Agent: Mutt/1.4.2.1i Cc: cvs-ports@FreeBSD.org, Dirk Meyer , Kris Kennaway , ports-committers@FreeBSD.org Subject: Re: Valid Sender ? - Re: cvs commit: ports/security/openssl Makefile X-BeenThere: cvs-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: CVS commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Oct 2005 22:05:59 -0000 --p4qYPpj5QlsIQJ0K Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Oct 04, 2005 at 11:04:27PM +0200, Simon Barner wrote: > [removed cvs-all from Cc:] >=20 > Dirk Meyer wrote: > > Kris Kennaway schrieb:, > >=20 > > > > As you might see in the cvs Revision 1.100 is tagged with RELEASE_6= _0_0 > > > > The update of openssl 0.9.8 was commited after this. > > >=20 > > > And when you commit a fix to some other port and then it has a > > > security vulnerability, I can't slip the tag without worrying whether > > > you've broken the package on 6.0 with the previous version of openssl. > >=20 > > Yes you can slip the tag on any port that depends on openssl. > >=20 > > Thats why we have bsd.openssl.mk. > >=20 > > Unless you move the tag there and in openssl itself, > > all ports will still build with the old openssl 0.9.7g >=20 > Hmm, I think Kris meant it like this: >=20 > When one upgrades a port P (e.g. openssl) that requires a lot of compatib= ility > patches in other ports (API or ABI changes, ...), and _then_ one of the > other ports (lets call it S) gets a security fix, then you cannot simply > slip the tag on that port. This is because S contained also the > compatibility patches, but the tag of port P still points at the old vers= ion. >=20 > Now, one needs to slip the tag of port P (and also of ports that depend on > it, and maybe that of ports that depend on ports that depend ... you get > the idea). >=20 > AFAICS there's no way to merge back the security patch only because our > ports tree is not branched, and it's commonly agreed upon that it will > never be due to lack of resources. Yes, in other words the standard objection that is relevant every time someone makes an API-breaking change during a release slush without thinking about potential consequences [1]. Kris [1] If you'd thought about it, you'd have discussed it with us first to reassure us why it wouldn't be a problem. --p4qYPpj5QlsIQJ0K Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDQvzDWry0BWjoQKURAiQfAKCd9VdAcits/tsH2DNqETyDZ58fyACgnP1p hCC6v80D2mIfeindUZm9zz4= =OYv2 -----END PGP SIGNATURE----- --p4qYPpj5QlsIQJ0K--