From mboxrd@z Thu Jan  1 00:00:00 1970
From: Tobias Geerinckx-Rice <me@tobias.gr>
Subject: Should our openssl/fixed not have more fixin's by now?
Date: Wed, 11 Sep 2019 19:05:26 +0200
Message-ID: <87ftl2daqx.fsf@nckx>
References: <20190911164844.9037.97931@vcs0.savannah.gnu.org>
 <20190911164845.C8B65207F5@vcs0.savannah.gnu.org>
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:470:142:3::10]:46558)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <me@tobias.gr>) id 1i863j-0001oO-MZ
 for guix-devel@gnu.org; Wed, 11 Sep 2019 13:05:37 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <me@tobias.gr>) id 1i863i-0003vs-3b
 for guix-devel@gnu.org; Wed, 11 Sep 2019 13:05:35 -0400
Received: from tobias.gr ([2001:470:7405::1]:36178)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <me@tobias.gr>) id 1i863h-0003s1-HB
 for guix-devel@gnu.org; Wed, 11 Sep 2019 13:05:34 -0400
Received: by tobias.gr (OpenSMTPD) with ESMTP id 78c65845
 for <guix-devel@gnu.org>; Wed, 11 Sep 2019 17:05:28 +0000 (UTC)
Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id 284442ff
 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO)
 for <guix-devel@gnu.org>; Wed, 11 Sep 2019 17:05:27 +0000 (UTC)
In-reply-to: <20190911164845.C8B65207F5@vcs0.savannah.gnu.org>
List-Id: "Development of GNU Guix and the GNU System distribution."
 <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: guix-devel@gnu.org

--=-=-=
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable

Guix,

1 CVE patch since 1.0.2p seems suspiciously low to me.  I hope I'm=20
wrong.  In any case, there are new ones[0].

Me on IRC:

  =E2=80=9CI'd like to fix some CVEs in openssl, but it's not clear to me=20
  whether =E2=80=98letter releases=E2=80=99 are supposed to be ABI-compatib=
le or=20
  not.  It would be a big jump (1.0.2p =E2=86=92 1.0.2t), and our current=20
  openssl/fixed is just 1.0.2p + 1 patch, so I doubt it.  But=20
  cherry-picking patches is proving too painful [for me].=E2=80=9D

=E2=80=A6mainly because I'm not that familiar with OpenSSLs release/git=20
habits.

Kind regards,

T G-R

[0]: https://www.openssl.org/news/cl102.txt

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQT12iAyS4c9C3o4dnINsP+IT1VteQUCXXkpVgAKCRANsP+IT1Vt
ec/RAQDjnczz5MQIAPwMes/ZyzNWCvtj10xsf4RS3wu+mYg4eAEA2j3W7g852Db8
Y4bEzfxFjqkb+R9N3XwbYvPJdmK4BgI=
=nbnP
-----END PGP SIGNATURE-----
--=-=-=--