Hi Dennis;
I recall discussions of OpenSSL and updating our dependency on it to a
better/patched version.
What I don't know is whether the binaries that are built and distributed
directly by the project
incorporate OpenSSL in any manner?
Can anyone clear that up?
1. Do our built binaries depend on and distribute OpenSSL in some manner?
2. Is this for all platforms or only some of them?
While your questions are interesting, and we really must keep OpenSSL
updated, it would seems like you want to limit the impact of what could
be considered a liability. I think in our modern world the opposite
approach is necessary: we should be looking at considering encryption
more as an opportunity than a threat.
It looks like we have been avoiding including openssl where we should
have: the general build *should* depend on OpenSSL for APR, curl, and
python. I have never really worried about it because my primary platform
(FreeBSD .. yeah!) uses the pre-packaged dependencies by default and
those depend on OpenSSL.
So, my answers to your questions are:
1) I hope so, and if we are not, we have to fix that.
2) We absolutely must keep all platforms consistent.
Pedro.