Am 07.09.2017 um 15:06 schrieb Alan DeKok:
So removing security checks is just not going to happen. Yeah, I actually wanted to second that.
But since everyone including FR relies on the dynamically linked libraries (SSL here), this specific security check boils down to checking the exact version, right? I thought the discussion started by Rui is about this snippet from debian/rules: ---------------------------------------------------------------------------------------------------- # Add dependency on distribution specific version of openssl that fixes Heartbleed (CVE-2014-0160). ifeq ($(shell dpkg-vendor --derives-from Ubuntu && echo yes),yes) SUBSTVARS = -Vdist:Depends="libssl1.0.0 (>= 1.0.1f-1ubuntu2)" else SUBSTVARS = -Vdist:Depends="libssl1.0.0 (>= 1.0.1e-2+deb7u5)" endif ----------------------------------------------------------------------------------------------------- Or have I missed some additional checks?
So they still distribute 3.0.12, but with everything fixed. No. 3.0.15 would be "everything fixed". correct myself: They still distribute 3.0.12, but with security holes fixed in default config.
I find it hard to judge the Debian approach to security patches. Clinging to a particular version like that often means overdoing things. On the other hand, AFAIR with Heartbleed, they did a real good job by very quickly delivering a bugfix-only update. But as things are, I will continue compiling FR myself. Just good you provide all the prerequites. I do appreciate scurity-bugfix-only updates, though ;-) Cheers, Martin -- Dr. Martin Pauly Phone: +49-6421-28-23527 HRZ Univ. Marburg Fax: +49-6421-28-26994 Hans-Meerwein-Str. E-Mail: pauly@HRZ.Uni-Marburg.DE D-35032 Marburg