[PATCH 1/1] Just warn if linked libssl is more recent

Arran Cudbard-Bell a.cudbardb at freeradius.org
Tue Jun 17 11:38:42 CEST 2014


On 17 Jun 2014, at 10:20, Fajar A. Nugraha <list at fajar.net> wrote:

> On Tue, Jun 17, 2014 at 4:10 PM, Arran Cudbard-Bell <a.cudbardb at freeradius.org> wrote:
> 
> On 17 Jun 2014, at 08:43, Christian Hesse <list at eworm.de> wrote:
> > Still the question is whether freeradius should break on ABI incompatibility
> > change (which should still give a warning with my patch) or break on *every*
> > openssl update, regardless of whether or not ABI changed.
> >
> > Searching for "freeradius libssl version mismatch" gives a lot of matches, so
> > looks like this is a real issue.
> 
> Some of those aren't for FreeRADIUS.
> 
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=732940
> 
> OpenSSH has also adopted this approach, with a very similar message to us.
> Obviously they got annoyed too.
> 
> I've changed the behaviour to match theirs.
> 
> 
> ... and apparently Debian's "solution" to the problem (from the same page) is
> 
>    * Restore patch to disable OpenSSL version check (closes: #732940).
> 
> So FR's position is to leave it to official distro packagers to disable it as well, just like allow_vulnerable_openssl?

FR's position is that package maintainers should re-build the FreeRADIUS package
when they build new MAJOR/MINOR versions of the OpenSSL package.

-Arran

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 881 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20140617/a3179915/attachment.pgp>


More information about the Freeradius-Devel mailing list