From owner-freebsd-questions@FreeBSD.ORG  Sat Mar 20 09:48:25 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 10FAF16A4CE
	for <freebsd-questions@freebsd.org>;
	Sat, 20 Mar 2004 09:48:25 -0800 (PST)
Received: from mail5.speakeasy.net (mail5.speakeasy.net [216.254.0.205])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E2D0943D1F
	for <freebsd-questions@freebsd.org>;
	Sat, 20 Mar 2004 09:48:24 -0800 (PST)
	(envelope-from johnmills@speakeasy.net)
Received: (qmail 25076 invoked from network); 20 Mar 2004 17:48:24 -0000
Received: from dsl027-162-100.atl1.dsl.speakeasy.net (HELO otter.localdomain)
	([216.27.162.100])
	(envelope-sender <johnmills@speakeasy.net>)
	by mail5.speakeasy.net (qmail-ldap-1.03) with SMTP
	for <freebsd-questions@freebsd.org>; 20 Mar 2004 17:48:24 -0000
Received: from localhost (jmills@localhost)
	by otter.localdomain (8.11.6/8.11.6) with ESMTP id i2KHmQP14438;
	Sat, 20 Mar 2004 17:48:27 GMT
X-Authentication-Warning: otter.localdomain: jmills owned process doing -bs
Date: Sat, 20 Mar 2004 12:48:26 -0500 (EST)
From: John Mills <johnmills@speakeasy.net>
X-X-Sender: jmills@otter.localdomain
To: Lowell Gilbert <freebsd-questions-local@be-well.no-ip.com>
In-Reply-To: <44smg3mp4t.fsf@be-well.ilk.org>
Message-ID: <Pine.LNX.4.44.0403201236050.14420-100000@otter.localdomain>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: freebsd-questions@freebsd.org
Subject: Dependencies of statically linked apps (was Re: update of OpenSSL
 from tarball)
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: John Mills <john.m.mills@alum.mit.edu>
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Mar 2004 17:48:25 -0000

On 20 Mar 2004, Lowell Gilbert wrote:

> "J.D. Bronson" <jbronson@wixb.com> writes:

> > ..this seems to correctly place all the files where they need to be
> > with the exception of a few. I did recompile a few apps since they had
> > ldd to older files that were incorrect.

..

> Most peoples' mileage *does* vary, because updating OpenSSL by itself
> isn't enough.  Everything that linked to it statically needs to be
> updated as well, which most people won't have the skill (or
> inclination) to track down.

Good point, but how _does_ one learn which libs have been statically
linked when one has only the binary (assuming debug tags were stripped)?

If common dependent apps are identified in the bug or fix report, well and
good. Otherwise I don't see any alternative to that app's maintainers
making the vulnerability information available. If there is a central list
or clearing-house of such information, where would it be?

 - John Mills
   1884 Ridgewood Dr, NE
   Atlanta, GA 30307-1166
   404.377.2577
   john.m.mills@alum.mit.edu