| Re: [mosquitto-dev] Security audit for Eclipse Mosquitto |
<terryatsnort@xxxxxxxxxxx> writes: > Do you mean the every few years need to change the code to keep up with > API changes? > Or are you thinking of mosquitto as producing binary releases, but > somehow statically linking OpenSSL, and therefore a perceived need to > regenerate them everytime there is a patch-level OpenSSL release? > [Terry] this is exactly what I thought. E.g., these days, a customer > using a product would often scan the application by themselves, then > they would like to know what to do when a new OpenSSL CVE is reported > publicly: > > * is this OpenSSL CVE applicable to this application (here, the Mosquitto)? > This might be the hardest because they don't know exactly which functionalities are used and how (without studying the source code) > * if it's applicable, do I need to get a new version? > * or is it necessary for me to compile the code with the latest OpenSSL? > > Hope this makes sense. I see. Well, that's not really about mosquitto. People should be using packaging systems that deal with security updates, and should be using dynamic linking of self-compiled programs so that after updating openssl from the packaging system a restart will cause things to be running with the new version. I am not in favor of using money aimed at improving open source to work around more generic windows software packaging problems -- but I have no particularly special standing here, just a random list member.
Attachment:
signature.asc
Description: PGP signature