On Sun, 21 Jul 2019 19:20:53, Achim Gratz wrote:
Or maybe you should do that and lose the attitude?
You are projecting. It was you who flatly refuted my position with no research at all.
Just to keep the record straight, you've been originally asking about direct dependencies of curl, not transitory ones; so no, I didn't look at those.
I never said children only, I think you assumed that. A grandchild is still a dependency. Perhaps if I had said "direct dependencies" as you did, then it would be fair to make that assumption.
What has been obsoleted is actually libopenssl100; and it was replaced by compatibility shims in libssl-1.0 for libraries and applications that did not yet make the jump to the new API.
Right, so even in that case why is OpenLdap using "libopenssl100" instead of "libssl1.0"?
It would all have been fairly obvious if you had looked at the announcement mails and the actual library names.
Please do not assume what mails I do and do not look at.
Your cygcheck output shows that this obsoletion has worked just the way it was supposed to.
In the general case yes, this is an elegant solution. However we are not in the general case, we are talking about a security sensitive package. I think it would be reasonable to expect that the cascading dependencies should be updated in tandem in this case. Else you are left with "weakest link" syndrome, where the end user is getting none of security fixes in regard to cURL with OpenLdap, or worse they assume they are. It looks like OpenLdap has been able to use OpenSSL 1.1 for over 2 years now: - http://openldap.org/lists/openldap-bugs/201704/msg00053.html - ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release but maybe it has not been changed because the package is abandoned: https://cygwin.com/cygwin-pkg-maint Can we pull OpenLdap out of cURL until this is resolved? Else I can voluteer to pick up maintenance. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
