Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 4 Oct 2005 18:05:56 -0400
From:      Kris Kennaway <kris@obsecurity.org>
To:        Simon Barner <barner@FreeBSD.org>
Cc:        cvs-ports@FreeBSD.org, Dirk Meyer <dirk.meyer@dinoex.sub.org>, Kris Kennaway <kris@obsecurity.org>, ports-committers@FreeBSD.org
Subject:   Re: Valid Sender ? - Re: cvs commit: ports/security/openssl Makefile
Message-ID:  <20051004220556.GB64574@xor.obsecurity.org>
In-Reply-To: <20051004210427.GA55575@zi025.glhnet.mhn.de>
References:  <8AYfVTn/WV@dmeyer.dinoex.sub.org> <200510040735.j947Z8rb069549@repoman.freebsd.org> <200510040735.j947Z8rb069549@repoman.freebsd.org> <20051004144319.GA71102@xor.obsecurity.org> <8AYfVTn/WV@dmeyer.dinoex.sub.org> <20051004174511.GA22748@xor.obsecurity.org> <1V%2BRzjn/WV@dmeyer.dinoex.sub.org> <20051004210427.GA55575@zi025.glhnet.mhn.de>

next in thread | previous in thread | raw e-mail | index | archive | help

--p4qYPpj5QlsIQJ0K
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Oct 04, 2005 at 11:04:27PM +0200, Simon Barner wrote:
> [removed cvs-all from Cc:]
>=20
> Dirk Meyer wrote:
> > Kris Kennaway schrieb:,
> >=20
> > > > As you might see in the cvs Revision 1.100 is tagged with RELEASE_6=
_0_0
> > > > The update of openssl 0.9.8 was commited after this.
> > >=20
> > > And when you commit a fix to some other port and then it has a
> > > security vulnerability, I can't slip the tag without worrying whether
> > > you've broken the package on 6.0 with the previous version of openssl.
> >=20
> > Yes you can slip the tag on any port that depends on openssl.
> >=20
> > Thats why we have bsd.openssl.mk.
> >=20
> > Unless you move the tag there and in openssl itself,
> > all ports will still build with the old openssl 0.9.7g
>=20
> Hmm, I think Kris meant it like this:
>=20
> When one upgrades a port P (e.g. openssl) that requires a lot of compatib=
ility
> patches in other ports (API or ABI changes, ...), and _then_ one of the
> other ports (lets call it S) gets a security fix, then you cannot simply
> slip the tag on that port. This is because S contained also the
> compatibility patches, but the tag of port P still points at the old vers=
ion.
>=20
> Now, one needs to slip the tag of port P (and also of ports that depend on
> it, and maybe that of ports that depend on ports that depend ... you get
> the idea).
>=20
> AFAICS there's no way to merge back the security patch only because our
> ports tree is not branched, and it's commonly agreed upon that it will
> never be due to lack of resources.

Yes, in other words the standard objection that is relevant every time
someone makes an API-breaking change during a release slush without
thinking about potential consequences [1].

Kris

[1] If you'd thought about it, you'd have discussed it with us first
to reassure us why it wouldn't be a problem.
--p4qYPpj5QlsIQJ0K
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)

iD8DBQFDQvzDWry0BWjoQKURAiQfAKCd9VdAcits/tsH2DNqETyDZ58fyACgnP1p
hCC6v80D2mIfeindUZm9zz4=
=OYv2
-----END PGP SIGNATURE-----

--p4qYPpj5QlsIQJ0K--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051004220556.GB64574>