Re: [gentoo-user] GLSA «201110-01 / openssl» and acroread-9.4.2
On Mon, 16 Jan 2012 20:29:28 -0200 Urs Schutz u.sch...@bluewin.ch wrote: As far as I know acroread is not unmasked in this installation, nor is openssl # grep -i acro /etc/portage/* # grep -i ssl /etc/portage/* shows nothing, so acroread and ssl is «stable». For now I just uninstalled acroread to prevent the installation of a buggy openssl version, but this seems wrong for a mostly stable installation... Any hints how to proceed? Is there any danger to have an old (and apparently buggy) openssl lib installed in parallel with the recent one? That's always a tricky one. Users want Adobe's shiny stuff and Adobe is notorious for releasing crap software. For whatever reason, acroread on x86 profile requires openssl in the 0.9.8 series and that can't be worked around. The answer to your question is are you prepared to live with it? The GLSA indicates that this is quite a severe issue so maybe it should be hard masked. However, that will break acroread and there's only one version in the tree. Hardmask openssl:0.9.8 means hardmask acroread and that means thousands of whinging users. So the devs are between a rock and a hard place where all the issues are out of their control. The only middle path left is to inform all the users as much as possible and let them decide for themselves. Personally, I would deep-six acroread and use any one of the many PDF readers out there. The tax authority in my country uses new funky PDF features in Reader for on-line tax returns so I need access to Reader once a year. For that, there's wine, Windows in VirtualBox or the wife's computer. -- Alan McKinnnon alan.mckin...@gmail.com
Re: [gentoo-user] GLSA «201110-01 / openssl» and acroread-9.4.2
On Tue, 17 Jan 2012 12:35:50 +0200 Alan McKinnon alan.mckin...@gmail.com wrote: On Mon, 16 Jan 2012 20:29:28 -0200 Urs Schutz u.sch...@bluewin.ch wrote: As far as I know acroread is not unmasked in this installation, nor is openssl # grep -i acro /etc/portage/* # grep -i ssl /etc/portage/* shows nothing, so acroread and ssl is «stable». For now I just uninstalled acroread to prevent the installation of a buggy openssl version, but this seems wrong for a mostly stable installation... Any hints how to proceed? Is there any danger to have an old (and apparently buggy) openssl lib installed in parallel with the recent one? That's always a tricky one. Users want Adobe's shiny stuff and Adobe is notorious for releasing crap software. For whatever reason, acroread on x86 profile requires openssl in the 0.9.8 series and that can't be worked around. The answer to your question is are you prepared to live with it? The GLSA indicates that this is quite a severe issue so maybe it should be hard masked. However, that will break acroread and there's only one version in the tree. Hardmask openssl:0.9.8 means hardmask acroread and that means thousands of whinging users. So the devs are between a rock and a hard place where all the issues are out of their control. The only middle path left is to inform all the users as much as possible and let them decide for themselves. Personally, I would deep-six acroread and use any one of the many PDF readers out there. The tax authority in my country uses new funky PDF features in Reader for on-line tax returns so I need access to Reader once a year. For that, there's wine, Windows in VirtualBox or the wife's computer. Thanks for the reply. I switched to app-text/evince , this seems fine for just reading pdf. Urs
[gentoo-user] GLSA «201110-01 / openssl» and acroread-9.4.2
Today I see the following:
I uninstalled dev-libs/openssl-0.9.8s-r1 because there is
a GLSA (201110-01 / openssl) against it.
But acroread-9.4.2 wants the installation of
openssl-0.9.8s-r1:
# emerge -uDpvtN world
These are the packages that would be merged, in reverse
order:
Calculating dependencies... done!
[nomerge ] app-text/acroread-9.4.2 USE=cups ldap
nsplugin -minimal LINGUAS=de en -fr -ja [ebuild NS
] dev-libs/openssl-0.9.8s-r1 [1.0.0f-r1] USE=gmp sse2
zlib -bindist -kerberos -test 0 kB
Total: 1 package (1 in new slot), Size of downloads: 0 kB
The last stable openssl is already installed:
# eix -I openssl
[I] dev-libs/openssl
Available versions:
(0.9.8) 0.9.8r ~0.9.8s 0.9.8s-r1
(0) 1.0.0d 1.0.0e ~1.0.0e-r1 ~1.0.0f 1.0.0f-r1
{bindist gmp kerberos rfc3779 sse2 static-libs test
zlib}
Installed versions: 1.0.0f-r1(07:52:58 PM
01/16/2012)(gmp sse2 zlib -bindist -kerberos -rfc3779
-static-libs -test)
Homepage:http://www.openssl.org/
Description:
As far as I know acroread is not unmasked in this
installation, nor is openssl
# grep -i acro /etc/portage/*
# grep -i ssl /etc/portage/*
shows nothing, so acroread and ssl is «stable».
For now I just uninstalled acroread to prevent the
installation of a buggy openssl version, but this seems
wrong for a mostly stable installation...
Any hints how to proceed? Is there any danger to have an
old (and apparently buggy) openssl lib installed in parallel
with the recent one?
Urs
