On 7/28/2016 10:57 AM, Theo de Raadt wrote: > > ENV support was removed entirely. > > A few people found convenient ways to use that hack. > > However, the support is baked in -- unavoidable -- and occurs in all > library use-contexts. In some of those contexts, this environment > variable support is super dangerous. > > Since we cannot toggle support on & off based upon the usage case and > provide selective security -- the support was removed. > > Imagine if libc had a pile of environment variables that behaved like > this. If the practice is is unsafe in a library like libc, then it > should be looked at with an equally critical eye in a library used for > security purposes...
Ahhh... OK. Makes sense (and the background explanation you give is precisely the reason why I'm moving to LibreSSL) I'll do what I need to do without the ENV stuff. Thanks for the quick reply! (as an aside to anyone reading this a few months from now, I've taken down the download file from my server)