[oi-dev] review openssl-1.0

[Alexander Pyhalov]

Hello.

On 04/15/2014 13:17, Bayard Bell wrote:
> If you want to keep 0.9.8, you'll want to get the post-0.9.8y changes that
> were meant to be part of the 0.9.8za phantom release:
>
> http://git.openssl.org/gitweb/?p=openssl.git;a=shortlog;h=refs/heads/OpenSSL_0_9_8-stable

Thanks for reference, at least CVE-2014-0076 worth patching. What do you 
mean by "were meant to be"? I see recent activity in 0.9.8 branch. Isn't 
0.9.8za coming?

>
> When you say you massaged openssl 1.0 to build with gcc, were the only
> changes made to the build infrastructure in the form included in your mail,
> or did you have to make code changes? Are you not able to include the
> linker options, including the maps, with gcc? Why omit the frame pointer?

I've included linker options and compiler options in new version. I 
didn't make any code changes.

>
> If you want to continue shipping different release series with 0.9.8, I'd
> strongly recommend putting it in a separate package so that it can be
> tracked as a separate dependency for packaged software and can be removed
> by anyone who doesn't need it and/or judges keeping the older code a
> greater liability.

The separate package won't help here (at least for now), as we can't 
recompile all dependent software. So, the option here is to make new 
package and include dependency on this package into 
library/security/openssl. I don't see much profit in this, because 
libssl/libcrypto.so link point to openssl 1.0 libssl/libcrypto. If we 
managed to recompile the package, it uses openssl 1.0, and we have to 
track only not-recompiled packages, dependent on openssl. When we don't 
have such packages, we can drop openssl 0.9.8 libraries.

-- 
Best regards,
Alexander Pyhalov,
system administrator of Computer Center of Southern Federal University