Hi Thom, * Thom May ([EMAIL PROTECTED]) wrote: > * Geoff Thorpe ([EMAIL PROTECTED]) wrote : > > It would perhaps make sense to provide a "--force-ssl-ver" type of > > option that would bypass version checks, and then have any version > > checking failure text point out the existence of "--force-ssl-ver". This > > way, the more determined users can force configure to bypass that, > > whilst it still provides a certain safety-net for the more naive and > > less intrepid against accidently meddling with known-to-be-out-of-date > > support libraries. > > (un)?fortunately most vendors prefer to backport security fixes rather than > release new versions of software into stable releases since backports are > far less likely to interfere with already tested and correctly integrated > software. Thus the average user is unlikely to *know* that they would need > to force an ssl version. Less intrepid users are far more likely to be > following vendor security updates ;-)
Well, this is an issue for the httpd developers to decide on, not me. I put the version checks in because (a) to me (again, outside the httpd sphere of view) it seemed logical, but more importantly (b) the existing autoconf checks did essentially the same version checking but in a more fragile form and for a now out-of-date threshold. I'm just as happy to axe the version check or set up warnings in its place. My goal here is to fix the openssl checks so that the currently-incorrect path, include, and linker handling is corrected. Eg. if I set up my system with non-standard PATH, INCLUDES, ld.so.conf, etc - anything following normal autoconf practice will be fine but apache's ssl/tls handling will not. Likewise if --with-ssl=<dir> is used with a relative path it will succeed the configure checks but fail compilation. W.r.t the version checks, I don't feel passionately about it one way or the other - by all means tell me what the consensus is and I'll rejig the patch for that. > I don't think we should have enforced version checks for this; if we do > detect an old version I think the most we should do is to suggest that the > user checks with their vendor that they have the most uptodate release for > their OS; and that said release fixes the (known) security holes. If that's what people want, that's what I'll do. Should I simply leave in a version check equivalent to the existing one (0.9.6e) and not rock the boat? Or should I turn the version error into a version warning? Cheers, Geoff -- Geoff Thorpe [EMAIL PROTECTED] http://www.geoffthorpe.net/
