On 08-03-18 10:57, Richard Laager via devel wrote: > On 03/08/2018 01:40 AM, Udo van den Heuvel via devel wrote: >> Why wouldn't we require a certain openssl version as there are a number >> of security vulnerabilities in (older) openssl? > > Isn't this potentially the case with any dependency? Shouldn't this be > handled through normal update mechanisms, rather than every application > trying to enforce a secure version of its dependencies?
Can we trust the distros to deliver openssl updates in time? Can't we simply enforce a reasonable level? (e.g. maximum of XX months old version of openssl) The security chain is only as strong as the weakest link... Kind regards, Udo _______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
