openssl commit

Udo van den Heuvel udovdh at xs4all.nl
Thu Mar 8 11:06:59 UTC 2018


On 08-03-18 10:57, Richard Laager via devel wrote:
> On 03/08/2018 01:40 AM, Udo van den Heuvel via devel wrote:
>> Why wouldn't we require a certain openssl version as there are a number
>> of security vulnerabilities in (older) openssl?
> 
> Isn't this potentially the case with any dependency? Shouldn't this be
> handled through normal update mechanisms, rather than every application
> trying to enforce a secure version of its dependencies?

Can we trust the distros to deliver openssl updates in time?
Can't we simply enforce a reasonable level? (e.g. maximum of XX months
old version of openssl)
The security chain is only as strong as the weakest link...

Kind regards,
Udo



More information about the devel mailing list