reinob | # 21 | 2014-04-16, 09:18 | Report

I don't think CSSU is that relevant in this case. You could easily replace libssl0.9.8 with the latest 0.9.8-compatible version (0.9.8y?, we have 0.9.8n), regardless of CSSU or not. It's just libssl.so.0.9.8 and libcrypto.so.0.9.8

If you do apt-cache rdepends libssl0.9.8 (or http://maemo.org/packages/package_in...-1+maemo4+0m5/) you see a whole bunch of packages depending on this specific version. So upgrading to a non-compatible version (1.0.1x) would require recompiling all those packages, some of which we don't have the source code for.

CSSU does not magically provide the source code for closed programs. CSSU merely works around the (arbitrary, non-technical) restriction that some packages cannot be provided in the extras repository, by simply providing another repository. Huh. We own Maemo now, so maybe it's time to dump this restriction and allow safe-upgrading of core packages, without the need to buy the whole CSSU.

peterleinchen | # 22 | 2014-04-17, 07:30 | Report

So what does it mean (rdepends)?
If installing this one here will break something???

mr_pingu | # 23 | 2014-04-17, 07:57 | Report

reverse depends, if you rdepents package x, you get a list of what is depending on x.


Normal depends x lists all the packages x is depending on

nieldk | # 24 | 2014-04-17, 08:00 | Report

Been using my version for a long time, with no issues. But, of course, something may get affected. I cant make any promises, just can observe no issues on my device, actually contrary. I dont seem to have GPS positioning issues (AGPS) as an example - allthough I cant confirm that this is related, it does seem it might be.

reinob | # 25 | 2014-04-17, 09:26 | Report

+1. I also cannot report any problems using your version.

However we have to understand that many packages/programs are linked to a specific version of libssl and/or libcrypto, so installing your openssl package will only affect programs that link to libcrypto.so and/or libssl.so (which symlink to 1.0.0), but not those linked to lib{ssl|crypto}.so.0.9.8 (= most of Maemo) or even libssl0.9.7 (AFAIK Karam's dsniff -- just hope the guy is OK).

Obviously we (one..) could try brutally renaming/symlinking libssl0.9.8 to libssl1.0.0 and see what breaks. But surely things will break if there's been any kind of API changes (and let's not forget that this, unfortunately, *is* the favorite sport of FOSSy developers).

I suggest someone (somebody do something!) create a Wiki page with the packages depending on ssl 0.9.8 and a note whether source code is available or not and whether compiling with a recent ssl works, and whether it works or not.

Then we can start pushing updated versions to extras (or CSSU, whatever).

NIN101 | # 26 | 2014-04-17, 09:38 | Report

From the OpenSSL FAQ:

"Changes to the middle number are considered major releases and neither source nor binary compatibility is guaranteed."

Thus if everything magically continues to work it's hardly more than pure luck.

I would also think twice before downloading .deb files from questionable sources. I am not saying nieldk can not be trusted (in the other thread he says he understands the security concerns), but you don't even know with what options that .deb was built with.

---

Last edited by NIN101; 2014-04-17 at 09:40.

nieldk | # 27 | 2014-04-17, 09:44 | Report

config --prefix=/usr --openssldir=/etc/ssl --libdir=lib shared zlib-dynamic