[openssl-users] How to find patches for a particular OpenSSL version?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[openssl-users] How to find patches for a particular OpenSSL version?

pratyush parimal
Hi all,

I am currently using openssl 1.0.1e (compiling from source), and I was wondering whether I needed to put in any patch files with it as well. Does anybody know? Let's assume I can't just use a later version's tarball.

In general I wanted to know how I could reliably find out what patches I need to apply for a particular OpenSSL version.

Thanks,
Pratyush Parimal.



_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-users] How to find patches for a particular OpenSSL version?

Salz, Rich
> I am currently using openssl 1.0.1e (compiling from source), and I was wondering whether I needed to put in any patch files with it as well. Does anybody know? Let's assume I can't just use a later version's tarball.

There are no patch files.  Letter releases, 1.0.1f, 1.0.1g, etc., are only bugfixes.  You could read through the commit log, find which changes fixed bugs that you care about, get those commits, and apply them by hand.  Ugh.  That's going to take a very long time.

You should reconsider your assumption.

--  
Senior Architect, Akamai Technologies
IM: [hidden email] Twitter: RichSalz


_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-users] How to find patches for a particular OpenSSL version?

Jakob Bohm-7
On 23/04/2015 01:27, Salz, Rich wrote:
>> I am currently using openssl 1.0.1e (compiling from source), and I was wondering whether I needed to put in any patch files with it as well. Does anybody know? Let's assume I can't just use a later version's tarball.
> There are no patch files.  Letter releases, 1.0.1f, 1.0.1g, etc., are only bugfixes.  You could read through the commit log, find which changes fixed bugs that you care about, get those commits, and apply them by hand.  Ugh.  That's going to take a very long time.
>
> You should reconsider your assumption.
Note however, that the Debian project, as a matter of
policy, does this for *all* the software they ship,
including OpenSSL 1.0.1e in wheezy.   And it is probably
a lot of work, made infinitely more difficult by the
"not my style" wholesale reformatting of the latest
1.0.1 tarball.

On the bad side, the patch work Debian does is specific
to their OS, and has on at least one occasion introduced
a major security flaw not in the official project.

On the good side, there is no particular reason to take
Mr. Salz advise in these matters, as he seems to be the
project member with the least understanding of what
other people need from the project.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users