| 1 |
Quoting Jeremy Huddleston: |
| 2 |
>They DO need to be recompiled if you have a newer version of the |
| 3 |
>dynamic lib that breaks binary compatibility but maintains API |
| 4 |
>compatibility (as we do here, or with libpng as another example). |
| 5 |
>That is why the -soname was changed. Usually, packages have the |
| 6 |
>-soname match lib<libname>.so.<major version> and changing |
| 7 |
>minor/tiny versions won't break binary incompatibility, but |
| 8 |
>openssl likes to use the tiny version to denote binary |
| 9 |
>compatibility. |
| 10 |
|
| 11 |
Right. And when you upgrade from any openssl-0.9.6x version to the |
| 12 |
0.9.7x series, the ebuild tells you to run revdep-rebuild to solve that |
| 13 |
problem. |
| 14 |
|
| 15 |
>You can't. That's why you should't use static libraries. |
| 16 |
|
| 17 |
The end user doesn't always get to choose; sometimes it's the |
| 18 |
developer. My understanding (my apologies if it's flawed) is that |
| 19 |
mod_ssl is statically compiled against openssl, so everyone using |
| 20 |
apache-1.x and mod_ssl needs to recompile mod_ssl after updating |
| 21 |
openssl. Is there anything else? And how does one know that? |
| 22 |
|
| 23 |
>you could do a 'readelf -s <exec> | grep <symbol>' on executables |
| 24 |
>to see if that symbol is present in the file... |
| 25 |
|
| 26 |
That's a pretty painful thing to do on every executable, but if that's |
| 27 |
all there is... |
| 28 |
|
| 29 |
-Joel Osburn |
| 30 |
|
| 31 |
|
| 32 |
-- |
| 33 |
gentoo-security@g.o mailing list |
Archives