On Friday November 13 2015 16:06:43 Jeremy Huddleston Sequoia wrote: >You mean it is up to the developer that is a client of that Qt API, not the >user. We should be protecting our users from developers that don't know >better.
I think that's going beyond MacPorts goals. For once I agree with Larry that MacPorts is not a substitute for upstream patches. I've raised the issue on a Qt ML, where for the 1st answer was that it's "the most common [...] to build OpenSSL without" support for SSL2 and SSL3. It hadn't occurred to me, but surely the experts on here know that the OPENSSL_NO_SSL* tokens checked in the Qt snippet I posted come from OpenSSL itself. If anything, this kind of protection can be provided by building OpenSSL the right way, and/or by not accepting ports for software that actually uses the methods (or discontinuing those that do) but I still think they should only provide a big fat warning. Or should ports that allow to wipe one's entire disk be discontinued too? For reference, Ubuntu 14.04 builds OpenSSL (1.01f) with `no-idea no-mdc2 no-rc5 no-zlib enable-tlsext no-ssl2` and adds `enable-ec_nistp_64_gcc_128` on x86_64 . R _______________________________________________ macports-users mailing list macports-users@lists.macosforge.org https://lists.macosforge.org/mailman/listinfo/macports-users
