On Thu, Nov 24, 2016 at 03:59:10PM +0200, Adrian Bunk wrote: > If inspection is not easily possible, then adding a dependency on > libssl1.0-dev to qtbase5-private-dev should be sufficient to > ensure that this is not leaked to a different OpenSSL version.
I see two disadvantages: 1) doesn't catch cases where a package doesn't depend on libssl at all, but depends on two libraries which in turn use qt and libssl. 2) needlessly affects packages which use qt, but don't use QNetwork / QSsl. But I don't know a better alternative, either. Jan
