Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [mosquitto-dev] Security audit for Eclipse Mosquitto

<terryatsnort@xxxxxxxxxxx> writes:

> Do you mean the every few years need to change the code to keep up with
> API changes?
> Or are you thinking of mosquitto as producing binary releases, but
> somehow statically linking OpenSSL, and therefore a perceived need to
> regenerate them everytime there is a patch-level OpenSSL release?
> [Terry] this is exactly what I thought. E.g., these days, a customer
> using a product would often scan the application by themselves, then
> they would like to know what to do when a new OpenSSL CVE is reported
> publicly:
>   *   is this OpenSSL CVE applicable to this application (here, the Mosquitto)?
> This might be the hardest because they don't know exactly which functionalities are used and how (without studying the source code)
>   *   if it's applicable, do I need to get a new version?
>   *   or is it necessary for me to compile the code with the latest OpenSSL?
> Hope this makes sense.

I see.  Well, that's not really about mosquitto.  People should be using
packaging systems that deal with security updates, and should be using
dynamic linking of self-compiled programs so that after updating openssl
from the packaging system a restart will cause things to be running with
the new version.

I am not in favor of using money aimed at improving open source to work
around more generic windows software packaging problems -- but I have no
particularly special standing here, just a random list member.

Attachment: signature.asc
Description: PGP signature

Back to the top