Mail Archives: cygwin/2019/07/21/14:33:41

delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2019/07/21/14:33:41

X-Recipient: archive-cygwin AT delorie DOT com

DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:message-id:date:from:to:subject:references

:content-type; q=dns; s=default; b=V1WwcokKloyIAjKsUBoIdXp0om/hh

NgfRFgtoDJ4HT4++PdaETd9IcACqD5lVALAN477cVYRZtAZWlNUA1M6m0J2sXyyd

Mj6O+Mva7bPkgO4zm7OlLPitqf4W3Ub6Xvs+16wcodMNd3C+jOOZ/9/illC/VRme

VeNZnrzNzo2Al0=

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:message-id:date:from:to:subject:references

:content-type; s=default; bh=r0LnhfHVqFjxspt3Fg+68KISoA0=; b=fp0

HP6hqNJa0peJXAzQp+HfoejgLBu6Bk1gqRg/MuRPZPNG4fXRoEz+VS8sQaVRHTYH

rUAn6N5dufRfgVJ9qk0q8bz5wz2ZoGBtLjGp88hW5fK3ZB97k8X9ScdbxaR07OxA

4iykVPoGilN7wOIYpsYcgZ4aU38alsjREHehJZ00=

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm

List-Id: <cygwin.cygwin.com>

List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>

List-Archive: <http://sourceware.org/ml/cygwin/>

List-Post: <mailto:cygwin AT cygwin DOT com>

List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>

Sender: cygwin-owner AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

Delivered-To: mailing list cygwin AT cygwin DOT com

Authentication-Results: sourceware.org; auth=none

X-Spam-SWARE-Status: No, score=-1.9 required=5.0 tests=BAYES_00,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.1 spammy=maintenance, H*M:1c69fb81, H*M:google, cygwincom

X-HELO: mail-ot1-f50.google.com

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:date:from:to:subject:references:user-agent; bh=q2ZK7XiveLUFO+C8W/spJjmKo21g44qrvSng94r/Vu0=; b=OrMkSobvMwJ9S4SOs03rLEdnsdlLQ0iuX3/8FGiiK/m9PD8gXrZHUz6/WlpdHufzpK 3BM15o1VM0BBtxrLu3k7vwJ2aoZN2J34Ntb4fBL85pPAFmFN8c9ZbuG/ijWuSllLvysy ceeOSatVk2YwaeUSckTFg/D/NxeHZXWVczWmtZG+HINxTyVjIGZ7LOtQF+u/0txd+886 53tNzkzFPwoF1jiWKRiG2zjcz09IBgfQWvXerSV5X2S+mPQQCUGSukRu5oCfBHuy1luX i7DVp7QjItUJdFO0TkHHBrtD5wYQOzPFIRMXysghfeO7ZqsALrKrgswYk8VM1X8/IufD 9lQw==

Message-ID: <5d34afd1.1c69fb81.8cfdd.7f14@mx.google.com>

Date: Sun, 21 Jul 2019 11:32:49 -0700 (PDT)

From: Steven Penny <svnpenn AT gmail DOT com>

To: cygwin AT cygwin DOT com

Subject: Re: cURL dependencies broken

References: <87d0i31eyy DOT fsf AT Rainer DOT invalid>

User-Agent: Suede Mail/2.8.0 (github.com/cup/suede)

On Sun, 21 Jul 2019 19:20:53, Achim Gratz wrote:
> Or maybe you should do that and lose the attitude?

You are projecting. It was you who flatly refuted my position with no research
at all.

> Just to keep the record straight, you've been originally asking about
> direct dependencies of curl, not transitory ones; so no, I didn't look
> at those.

I never said children only, I think you assumed that. A grandchild is still a
dependency. Perhaps if I had said "direct dependencies" as you did, then it
would be fair to make that assumption.

> What has been obsoleted is actually libopenssl100; and it was
> replaced by compatibility shims in libssl-1.0 for libraries and
> applications that did not yet make the jump to the new API.

Right, so even in that case why is OpenLdap using "libopenssl100" instead of
"libssl1.0"?

> It would all have been fairly obvious if you had looked at the announcement
> mails and the actual library names.

Please do not assume what mails I do and do not look at.

> Your cygcheck output shows that this obsoletion has worked just the way it was
> supposed to.

In the general case yes, this is an elegant solution. However we are not in
the general case, we are talking about a security sensitive package. I think
it would be reasonable to expect that the cascading dependencies should be
updated in tandem in this case. Else you are left with "weakest link" syndrome,
where the end user is getting none of security fixes in regard to cURL with
OpenLdap, or worse they assume they are. It looks like OpenLdap has been able to
use OpenSSL 1.1 for over 2 years now:

- http://openldap.org/lists/openldap-bugs/201704/msg00053.html
- ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release

but maybe it has not been changed because the package is abandoned:

https://cygwin.com/cygwin-pkg-maint

Can we pull OpenLdap out of cURL until this is resolved? Else I can voluteer to
pick up maintenance.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

X-Recipient:	archive-cygwin AT delorie DOT com
DomainKey-Signature:	a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:date:from:to:subject:references
	:content-type; q=dns; s=default; b=V1WwcokKloyIAjKsUBoIdXp0om/hh
	NgfRFgtoDJ4HT4++PdaETd9IcACqD5lVALAN477cVYRZtAZWlNUA1M6m0J2sXyyd
	Mj6O+Mva7bPkgO4zm7OlLPitqf4W3Ub6Xvs+16wcodMNd3C+jOOZ/9/illC/VRme
	VeNZnrzNzo2Al0=
DKIM-Signature:	v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:date:from:to:subject:references
	:content-type; s=default; bh=r0LnhfHVqFjxspt3Fg+68KISoA0=; b=fp0
	HP6hqNJa0peJXAzQp+HfoejgLBu6Bk1gqRg/MuRPZPNG4fXRoEz+VS8sQaVRHTYH
	rUAn6N5dufRfgVJ9qk0q8bz5wz2ZoGBtLjGp88hW5fK3ZB97k8X9ScdbxaR07OxA
	4iykVPoGilN7wOIYpsYcgZ4aU38alsjREHehJZ00=
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
Authentication-Results:	sourceware.org; auth=none
X-Spam-SWARE-Status:	No, score=-1.9 required=5.0 tests=BAYES_00,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.1 spammy=maintenance, HM:1c69fb81, HM:google, cygwincom
X-HELO:	mail-ot1-f50.google.com
DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:date:from:to:subject:references:user-agent; bh=q2ZK7XiveLUFO+C8W/spJjmKo21g44qrvSng94r/Vu0=; b=OrMkSobvMwJ9S4SOs03rLEdnsdlLQ0iuX3/8FGiiK/m9PD8gXrZHUz6/WlpdHufzpK 3BM15o1VM0BBtxrLu3k7vwJ2aoZN2J34Ntb4fBL85pPAFmFN8c9ZbuG/ijWuSllLvysy ceeOSatVk2YwaeUSckTFg/D/NxeHZXWVczWmtZG+HINxTyVjIGZ7LOtQF+u/0txd+886 53tNzkzFPwoF1jiWKRiG2zjcz09IBgfQWvXerSV5X2S+mPQQCUGSukRu5oCfBHuy1luX i7DVp7QjItUJdFO0TkHHBrtD5wYQOzPFIRMXysghfeO7ZqsALrKrgswYk8VM1X8/IufD 9lQw==
Message-ID:	<5d34afd1.1c69fb81.8cfdd.7f14@mx.google.com>
Date:	Sun, 21 Jul 2019 11:32:49 -0700 (PDT)
From:	Steven Penny <svnpenn AT gmail DOT com>
To:	cygwin AT cygwin DOT com
Subject:	Re: cURL dependencies broken
References:	<87d0i31eyy DOT fsf AT Rainer DOT invalid>
User-Agent:	Suede Mail/2.8.0 (github.com/cup/suede)