On Sat, Sep 03, 2016 at 10:20:49PM -0400, Leo Famulari wrote: > On Sat, Sep 03, 2016 at 04:34:51PM +0200, Ludovic Courtès wrote: > > Yes, but as long the ‘openssl’ refers to 1.0.x, it doesn’t really matter > > than the “openssl” package points to the latest one, no? Use can still > > run “guix package -i openssl@1.0” if they want. > > Oh, right :) > > I've attached a patch for review.
By the way, if you run `guix lint`, you will see a warning about CVE-2016-2183. I think we will be unaffected; this vulnerability will only manifest if we build with "--enable-weak-ssl-ciphers". https://www.openssl.org/blog/blog/2016/08/24/sweet32/
