The implication is that packages built against scrypt on trusty link
against it statically. It's a grave Debian policy violation for one,
it's a terrible thing for a security-related library for another. If
there's any update to the library, other packages don't pick it up. It's
also clear that it has been fixed in newer Ubuntu versions since over
two years with no reported regression.
That being said, it's clear that for in-distro packages reverse
dependencies of libscrypt would need to be recompiled to pick up the
dependency. However, they are of course not easy to identify because
they never inherited the shlibs dependency in the first place.
Similarly I can make the argument that it does not affect any package in
the archive because unless they are recompiled they won't see the
updated symlink. In the end it's mostly to help people building their
own packages on Ubuntu against libscrypt to do it correct and in the
manner you'd expect an Ubuntu system to behave.
** Changed in: libscrypt (Ubuntu Trusty)
Status: Incomplete => In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1313311
Title:
Broken libscrypt.so symlink
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libscrypt/+bug/1313311/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
