Re: OpenSSL with Elliptic Curve

Hi, On 05/12/2013 08:46 AM, Jeff Mendoza wrote: Hmm, I didn't know we had this on our wish list, I must say that given the security implications, I'm not really enthusiastic about having a replacement for openssl in rpmfusion. We do sometimes use conflicts for -freeworld versions of applications which are built with extra features. But for libraries we should never use Conflicts, as they may change soname and then things will break hard. The usual approach is instead to install the rpmfusion version of the lib into a subdir of %{_libdir} and then drop in a .conf file into /etc/ld.so.conf.d/ adding that dir to the search path (such a dir will then be searched before %{_libdir}. Given the special nature of openssl and its tendency to change soname every other release, the only acceptable solution to me would be to: 1) Not Conflict 2) Put the openssl so file in a subdir of %{_libdir} 3) Provide an example file for /etc/ld.so.conf.d/ as %doc 4) Add a README.rpmfusion explaining that the example file needs to be copied by the admin to /etc/ld.so.conf.d/ and containing a big fat warning that rpmfusion cannot guarantee timely security updates to its openssl package, and that the admin may need to disable it, falling back to the rpmfusion version, when a security update to openssl is needed. Note that this means that a simple "yum install openssl-freeworld" will do nothing but eat some disk-space. This is by design, so that people doing "yum install openssl*" or "yum install *-freeworld" don't accidentally start depending on our openssl. The move to rpmfusion ssl REALLY needs to be a conscious decision, not a side effect of a badly constructed yum command. Regards, Hans