[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [mosquitto-dev] Security audit for Eclipse Mosquitto
|
<terryatsnort@xxxxxxxxxxx> writes:
> Do you mean the every few years need to change the code to keep up with
> API changes?
> Or are you thinking of mosquitto as producing binary releases, but
> somehow statically linking OpenSSL, and therefore a perceived need to
> regenerate them everytime there is a patch-level OpenSSL release?
> [Terry] this is exactly what I thought. E.g., these days, a customer
> using a product would often scan the application by themselves, then
> they would like to know what to do when a new OpenSSL CVE is reported
> publicly:
>
> * is this OpenSSL CVE applicable to this application (here, the Mosquitto)?
> This might be the hardest because they don't know exactly which functionalities are used and how (without studying the source code)
> * if it's applicable, do I need to get a new version?
> * or is it necessary for me to compile the code with the latest OpenSSL?
>
> Hope this makes sense.
I see. Well, that's not really about mosquitto. People should be using
packaging systems that deal with security updates, and should be using
dynamic linking of self-compiled programs so that after updating openssl
from the packaging system a restart will cause things to be running with
the new version.
I am not in favor of using money aimed at improving open source to work
around more generic windows software packaging problems -- but I have no
particularly special standing here, just a random list member.
Attachment:
signature.asc
Description: PGP signature