Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 4 Oct 2005 23:04:27 +0200
From:      Simon Barner <barner@FreeBSD.org>
To:        Dirk Meyer <dirk.meyer@dinoex.sub.org>
Cc:        cvs-ports@FreeBSD.org, Kris Kennaway <kris@obsecurity.org>, ports-committers@FreeBSD.org
Subject:   Re: Valid Sender ? - Re: cvs commit: ports/security/openssl Makefile
Message-ID:  <20051004210427.GA55575@zi025.glhnet.mhn.de>
In-Reply-To: <1V%2BRzjn/WV@dmeyer.dinoex.sub.org>
References:  <8AYfVTn/WV@dmeyer.dinoex.sub.org> <200510040735.j947Z8rb069549@repoman.freebsd.org> <200510040735.j947Z8rb069549@repoman.freebsd.org> <20051004144319.GA71102@xor.obsecurity.org> <8AYfVTn/WV@dmeyer.dinoex.sub.org> <20051004174511.GA22748@xor.obsecurity.org> <1V%2BRzjn/WV@dmeyer.dinoex.sub.org>

next in thread | previous in thread | raw e-mail | index | archive | help

--C7zPtVaVf+AK4Oqc
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

[removed cvs-all from Cc:]

Dirk Meyer wrote:
> Kris Kennaway schrieb:,
>=20
> > > As you might see in the cvs Revision 1.100 is tagged with RELEASE_6_0=
_0
> > > The update of openssl 0.9.8 was commited after this.
> >=20
> > And when you commit a fix to some other port and then it has a
> > security vulnerability, I can't slip the tag without worrying whether
> > you've broken the package on 6.0 with the previous version of openssl.
>=20
> Yes you can slip the tag on any port that depends on openssl.
>=20
> Thats why we have bsd.openssl.mk.
>=20
> Unless you move the tag there and in openssl itself,
> all ports will still build with the old openssl 0.9.7g

Hmm, I think Kris meant it like this:

When one upgrades a port P (e.g. openssl) that requires a lot of compatibil=
ity
patches in other ports (API or ABI changes, ...), and _then_ one of the
other ports (lets call it S) gets a security fix, then you cannot simply
slip the tag on that port. This is because S contained also the
compatibility patches, but the tag of port P still points at the old versio=
n.

Now, one needs to slip the tag of port P (and also of ports that depend on
it, and maybe that of ports that depend on ports that depend ... you get
the idea).

AFAICS there's no way to merge back the security patch only because our
ports tree is not branched, and it's commonly agreed upon that it will
never be due to lack of resources.
--=20
Best regards / Viele Gr=FC=DFe,                             barner@FreeBSD.=
org
 Simon Barner                                                barner@gmx.de

--C7zPtVaVf+AK4Oqc
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)

iD8DBQFDQu5bCkn+/eutqCoRAtgBAJ9J4OSpTDmEh1nJBC1U95KV9C7YMACgtdUY
Aw2MuwP11S8PFBt5IarNTNo=
=GP1B
-----END PGP SIGNATURE-----

--C7zPtVaVf+AK4Oqc--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051004210427.GA55575>