On 17 Jun 2014, at 10:20, Fajar A. Nugraha <list@fajar.net> wrote:
On Tue, Jun 17, 2014 at 4:10 PM, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
On 17 Jun 2014, at 08:43, Christian Hesse <list@eworm.de> wrote:
Still the question is whether freeradius should break on ABI incompatibility change (which should still give a warning with my patch) or break on *every* openssl update, regardless of whether or not ABI changed.
Searching for "freeradius libssl version mismatch" gives a lot of matches, so looks like this is a real issue.
Some of those aren't for FreeRADIUS.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=732940
OpenSSH has also adopted this approach, with a very similar message to us. Obviously they got annoyed too.
I've changed the behaviour to match theirs.
... and apparently Debian's "solution" to the problem (from the same page) is
* Restore patch to disable OpenSSL version check (closes: #732940).
So FR's position is to leave it to official distro packagers to disable it as well, just like allow_vulnerable_openssl?
FR's position is that package maintainers should re-build the FreeRADIUS package when they build new MAJOR/MINOR versions of the OpenSSL package. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2