On Thu, 24 Nov 2016, Adrian Bunk wrote: > On Wed, Nov 23, 2016 at 11:50:12PM -0200, Henrique de Moraes Holschuh wrote: > > On Thu, 24 Nov 2016, Kurt Roeckx wrote: > >... > > > > So, if Qt *ever* exposes its use of openssl anywere in its APIs, it > > > > might not be safe. If it doesn't (i.e. at most you have a qt flag that > > > > says "use SSL", etc), then it should be fine. > > > > > > It seems to be doing this in qtbase5-private-dev. Not sure if > > > there are actually any users of it. > > > > If it does, all reverse *build* dependencies would need to be inspected, > > then. > > > > AFAIK, that means they must not link to anything that could link to a > > different libssl than the one used by qt5. If they do, everything needs > > to be inspected down to the details to ensure nothing will ever leak > > openssl contextes and data structures across a library boundary > > (including the application). > > If inspection is not easily possible, then adding a dependency on > libssl1.0-dev to qtbase5-private-dev should be sufficient to > ensure that this is not leaked to a different OpenSSL version.
How so? Consider the flattened tree (app is the root, - denotes a branch). A - B - App - C - D Where A and D are two versions of openssl. B and C are libs (suppose B comes from qtbase5-private-dev) from different source packages. -- Henrique Holschuh
