Reply
Thread Tools
Posts: 1,808 | Thanked: 4,272 times | Joined on Feb 2011 @ Germany
#21
Originally Posted by pichlo View Post
It certainly would, considering that it is firmly in the hands of Nokia and has not been updated for 3 years

If you want updates, CSSU is the only viable option.
I don't think CSSU is that relevant in this case. You could easily replace libssl0.9.8 with the latest 0.9.8-compatible version (0.9.8y?, we have 0.9.8n), regardless of CSSU or not. It's just libssl.so.0.9.8 and libcrypto.so.0.9.8

If you do apt-cache rdepends libssl0.9.8 (or http://maemo.org/packages/package_in...-1+maemo4+0m5/) you see a whole bunch of packages depending on this specific version. So upgrading to a non-compatible version (1.0.1x) would require recompiling all those packages, some of which we don't have the source code for.

CSSU does not magically provide the source code for closed programs. CSSU merely works around the (arbitrary, non-technical) restriction that some packages cannot be provided in the extras repository, by simply providing another repository. Huh. We own Maemo now, so maybe it's time to dump this restriction and allow safe-upgrading of core packages, without the need to buy the whole CSSU.
 

The Following 4 Users Say Thank You to reinob For This Useful Post:
peterleinchen's Avatar
Posts: 4,118 | Thanked: 8,901 times | Joined on Aug 2010 @ Ruhrgebiet, Germany
#22
So what does it mean (rdepends)?
If installing this one here will break something???
__________________
SIM-Switcher, automated SIM switching with a Double (Dual) SIM adapter
--
Thank you all for voting me into the Community Council 2014-2016!

Please consider your membership / supporting Maemo e.V. and help to spread this by following/copying this link to your TMO signature:
[MC eV] Maemo Community eV membership application, http://talk.maemo.org/showthread.php?t=94257

editsignature, http://talk.maemo.org/profile.php?do=editsignature
 

The Following User Says Thank You to peterleinchen For This Useful Post:
Posts: 1,163 | Thanked: 1,873 times | Joined on Feb 2011 @ The Netherlands
#23
Originally Posted by peterleinchen View Post
So what does it mean (rdepends)?
If installing this one here will break something???

reverse depends, if you rdepents package x, you get a list of what is depending on x.


Normal depends x lists all the packages x is depending on
__________________
N900 loaded with:
CSSU-T (Thumb)
720p recording,
Pierogi, Lanterne, Cooktimer, Frogatto
N9 16GB loaded with:
Kernel-Plus
--
[TCPdump & libpcap | ngrep]
--
donate
 

The Following User Says Thank You to mr_pingu For This Useful Post:
Guest | Posts: n/a | Thanked: 0 times | Joined on
#24
Originally Posted by peterleinchen View Post
So what does it mean (rdepends)?
If installing this one here will break something???
Been using my version for a long time, with no issues. But, of course, something may get affected. I cant make any promises, just can observe no issues on my device, actually contrary. I dont seem to have GPS positioning issues (AGPS) as an example - allthough I cant confirm that this is related, it does seem it might be.
 
Posts: 1,808 | Thanked: 4,272 times | Joined on Feb 2011 @ Germany
#25
Originally Posted by nieldk View Post
Been using my version for a long time, with no issues. But, of course, something may get affected. I cant make any promises, just can observe no issues on my device, actually contrary. I dont seem to have GPS positioning issues (AGPS) as an example - allthough I cant confirm that this is related, it does seem it might be.
+1. I also cannot report any problems using your version.

However we have to understand that many packages/programs are linked to a specific version of libssl and/or libcrypto, so installing your openssl package will only affect programs that link to libcrypto.so and/or libssl.so (which symlink to 1.0.0), but not those linked to lib{ssl|crypto}.so.0.9.8 (= most of Maemo) or even libssl0.9.7 (AFAIK Karam's dsniff -- just hope the guy is OK).

Obviously we (one..) could try brutally renaming/symlinking libssl0.9.8 to libssl1.0.0 and see what breaks. But surely things will break if there's been any kind of API changes (and let's not forget that this, unfortunately, *is* the favorite sport of FOSSy developers).

I suggest someone (somebody do something!) create a Wiki page with the packages depending on ssl 0.9.8 and a note whether source code is available or not and whether compiling with a recent ssl works, and whether it works or not.

Then we can start pushing updated versions to extras (or CSSU, whatever).
 

The Following 3 Users Say Thank You to reinob For This Useful Post:
Posts: 115 | Thanked: 342 times | Joined on Dec 2010
#26
From the OpenSSL FAQ:

"Changes to the middle number are considered major releases and neither source nor binary compatibility is guaranteed."

Thus if everything magically continues to work it's hardly more than pure luck.

I would also think twice before downloading .deb files from questionable sources. I am not saying nieldk can not be trusted (in the other thread he says he understands the security concerns), but you don't even know with what options that .deb was built with.

Last edited by NIN101; 2014-04-17 at 09:40.
 

The Following 2 Users Say Thank You to NIN101 For This Useful Post:
Guest | Posts: n/a | Thanked: 0 times | Joined on
#27
config --prefix=/usr --openssldir=/etc/ssl --libdir=lib shared zlib-dynamic
 

The Following 3 Users Say Thank You to For This Useful Post:
Reply

Tags
heartbleed, nokia n900, openssl, security


 
Forum Jump


All times are GMT. The time now is 21:15.