-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/06/12 13:41, Samuli Seppänen wrote: > >> Hi, >> >> On Thu, Jun 07, 2012 at 11:48:37AM +0200, Paul Bakker wrote: >>> Agreed as well.. >> So what...? 1.1.4 or "1.1.0, and put the responsibility on the >> distro"? >> > I think this question is related to our project policies, not just > to PolarSSL support. Do we want to try to protect packagers and > those building from source from security issues by trying to force > them to use latest libraries? In practice, some OS/distro packagers > (e.g. for Debian stable) would have to circumvent our version > checks due their own project policies.
I probably lean more towards what Alon said earlier in this thread. We should bother about APIs not which security level/issues each version have. Otherwise, we make life miserable for package maintainers, where they might often backport security fixes without altering the major/minor version number - which Adriaan also said. In RHEL the packages are stabilised on a specific version and only bugfixes and security fixes are backported and only exceptionally features are backported. And even more seldom a package rebase happens. And then to need to circumvent such version restrictions when building openvpn, actually makes things harder for users. kind regards, David Sommerseth -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/QnKAACgkQDC186MBRfrqadgCfUTrnypxWo56F6W/NmmexSG/z Ma8An1ZWD4seXjE/f65+NRFUjjXcpEzQ =vRpM -----END PGP SIGNATURE-----
