Udo van den Heuvel
udovdh at xs4all.nl
Thu Mar 8 11:06:59 UTC 2018
On 08-03-18 10:57, Richard Laager via devel wrote:
> On 03/08/2018 01:40 AM, Udo van den Heuvel via devel wrote:
>> Why wouldn't we require a certain openssl version as there are a number
>> of security vulnerabilities in (older) openssl?
> Isn't this potentially the case with any dependency? Shouldn't this be
> handled through normal update mechanisms, rather than every application
> trying to enforce a secure version of its dependencies?
Can we trust the distros to deliver openssl updates in time?
Can't we simply enforce a reasonable level? (e.g. maximum of XX months
old version of openssl)
The security chain is only as strong as the weakest link...
More information about the devel