openssl vs. libressl
René J.V. Bertin
rjvbertin at gmail.com
Sat Nov 14 00:43:21 PST 2015
On Friday November 13 2015 16:06:43 Jeremy Huddleston Sequoia wrote:
>You mean it is up to the developer that is a client of that Qt API, not the user. We should be protecting our users from developers that don't know better.
I think that's going beyond MacPorts goals. For once I agree with Larry that MacPorts is not a substitute for upstream patches. I've raised the issue on a Qt ML, where for the 1st answer was that it's "the most common [...] to build OpenSSL without" support for SSL2 and SSL3. It hadn't occurred to me, but surely the experts on here know that the OPENSSL_NO_SSL* tokens checked in the Qt snippet I posted come from OpenSSL itself.
If anything, this kind of protection can be provided by building OpenSSL the right way, and/or by not accepting ports for software that actually uses the methods (or discontinuing those that do) but I still think they should only provide a big fat warning.
Or should ports that allow to wipe one's entire disk be discontinued too?
For reference, Ubuntu 14.04 builds OpenSSL (1.01f) with `no-idea no-mdc2 no-rc5 no-zlib enable-tlsext no-ssl2` and adds `enable-ec_nistp_64_gcc_128` on x86_64 .
R
More information about the macports-users
mailing list