Thread: [ANNOUNCE] OpenSSL-1.0.1g (Maemo 5)
View Single Post
misiak is offline misiak
2013-11-13 , 11:01
Posts: 804 | Thanked: 1,598 times | Joined on Feb 2010 @ Gdynia, Poland
#4
Originally Posted by nieldk View Post
1. Yes, crucial security package propably a fair reason to update
2. On dropbox, simply because I dont have the hang on garage (yet) and - I basically needed this for my own pentesting purposes (together with ruby1.93) for Metasploit.
[...]

No, not a rant I completely understand Your security concerns, as well as compatibility. I only tested this personally, and I an not guarantee issues, as it does make a replacement of the standard 0.98 installed version (this was needed for me).
So, I am sure further testing and more complex testing will be a good idea, before it will/can/should make it into any official repositories.
I think there's a reason why openssl keeps updating their old branches at the same time why new and there might be some binary incompatibilities and api breaking changes. In my oppinion we should rather update to 0.9.8y instead of 1.0.1e (they were published the same week, and each contains newest bugfixes, just in different branches). And, if you need 1.0.1e, you could package it e.g. as "openssl1" (i think in MeeGo Harmattan the "libssl.so.0.9.8" was replaced with "libssl1.so.1.0.0", so if we follow the scheme, we could have both openssls installed and the newer one could be distributed via extras).

Originally Posted by nieldk View Post
[...]
3. Right, sources are available. This is compiled straight of original sources ( http://www.openssl.org/source/openssl-1.0.1e.tar.gz )
[...]
If you're paranoid, you can never be sure And, Debian and/or Maemo usually add platform-specific patches for the sources, so it might be good idea to append those while packaging, too.
 

The Following 2 Users Say Thank You to misiak For This Useful Post: