openssl commit
Udo van den Heuvel
udovdh at xs4all.nl
Thu Mar 8 11:06:59 UTC 2018
On 08-03-18 10:57, Richard Laager via devel wrote:
> On 03/08/2018 01:40 AM, Udo van den Heuvel via devel wrote:
>> Why wouldn't we require a certain openssl version as there are a number
>> of security vulnerabilities in (older) openssl?
>
> Isn't this potentially the case with any dependency? Shouldn't this be
> handled through normal update mechanisms, rather than every application
> trying to enforce a secure version of its dependencies?
Can we trust the distros to deliver openssl updates in time?
Can't we simply enforce a reasonable level? (e.g. maximum of XX months
old version of openssl)
The security chain is only as strong as the weakest link...
Kind regards,
Udo
More information about the devel
mailing list