<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Tue, Jun 17, 2014 at 4:10 PM, Arran Cudbard-Bell <span dir="ltr"><<a href="mailto:a.cudbardb@freeradius.org" target="_blank">a.cudbardb@freeradius.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div class=""><br>
On 17 Jun 2014, at 08:43, Christian Hesse <<a href="mailto:list@eworm.de">list@eworm.de</a>> wrote:<br>> Still the question is whether freeradius should break on ABI incompatibility<br>
> change (which should still give a warning with my patch) or break on *every*<br>
> openssl update, regardless of whether or not ABI changed.<br>
><br>
> Searching for "freeradius libssl version mismatch" gives a lot of matches, so<br>
> looks like this is a real issue.<br>
<br>
</div>Some of those aren't for FreeRADIUS.<br>
<br>
<a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=732940" target="_blank">https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=732940</a><br>
<br>
OpenSSH has also adopted this approach, with a very similar message to us.<br>
Obviously they got annoyed too.<br>
<br>
I've changed the behaviour to match theirs.<br>
<div class=""><div class="h5"><br></div></div></blockquote><div><br></div><div>... and apparently Debian's "solution" to the problem (from the same page) is</div><div><br></div><div><div> * Restore patch to disable OpenSSL version check (closes: #732940).</div>
</div><div><br></div><div>So FR's position is to leave it to official distro packagers to disable it as well, just like allow_vulnerable_openssl?</div><div><br></div><div>-- </div><div>Fajar</div></div></div></div>