On Wed, Apr 12, 2006 at 08:42:44PM +0200, martinko wrote: > Kris Kennaway wrote: > > On Tue, Apr 11, 2006 at 05:46:06PM +0200, [EMAIL PROTECTED]@mgEDV.net wrote: > > > >> > >> > >>>I can't answer you main question, but I would say that you can bet your > >>>shirt on the fact that there will be no known security issues in the > >>>older packages. > >> > >>>At least for openssl and openssh you can get latest versions through the > >>>ports. Not an option for everything -- I see no zlib for example and I > >>>don't believe there's a standard cvs port either. > >> > >>as for zlib i definitely know, that there are 2 security flaws, which can > >>lead to problems when invalid compressed data is feeded. > > > > > > Already fixed as soon as they were published. Are there other reasons > > to upgrade? > > > > > >>my problem also is not the installation of ports/packages/custom compiles, > >>it's more that the operating system components itself are linked against > >>these older libraries an therefore will contain bugs, which may have been > >>already solved. > > > > > > The other side of this is that newer versions are often incompatible > > (OpenSSL, I'm looking at you), which rules out upgrading the version > > in a FreeBSD-STABLE branch since it ruins binary compatibility. > > > > Kris > > one may wonder why they change very minor version number/letter only, if > the changes are so disturbing..
It's more that they don't have the foresight and discipline not to keep breaking interfaces. This may have changed recently, but I think their policy is still "until we release openssl 1.0 we make no promises about compatibility". Kris
pgpGUQB3ERMEH.pgp
Description: PGP signature