On Friday, 25 November 2022 05:21:00 CET, Steven_M.irc via openssl-users
wrote:
Hi Michael,
Thanks very much for replying to my e-mail/post. I apologize
for the lateness of my reply.
This is not true in the general case. There are applications
which are available on Linux which do not use the
distribution's package manager. There are applications which
use their own OpenSSL build, possibly linked statically or
linked into one of their own shared objects or with the OpenSSL
shared objects renamed. Linux distributions have not magically
solved the problem of keeping all software on the system
current.
That's disheartening. My next computer will be running Linux
and I was thinking that (as long as I stick to installing
software from appropriate repositories) my update worries would
be over soon.
I'm pretty sure what Michael had in mind, is that you can have software
that
runs on Linux that doesn't use system-provided OpenSSL (e,g. proprietary
software).
Well built distros, or even wll-built third party repos, will follow
packaging
guidelines of a given distribution. And many distributions forbid
distributing
copies of libraries that are already included in the distro proper.
So if you stick to software from official repositories, you should
generally
be fine (unless you go for some very obscure and badly built distro).
I'm not sure OpenSSL versions should be particularly high on
anyone's priority list.
As I understand it, OpenSSL is responsible for establishing
HTTPS connections, the primary protocol for ensuring security
and authenticity over the Internet, and you *don't* think
OpenSSL versions should be a high priority? I don't understand
your lack of alarm here.
Not necessarily, you can have an application using multiple cryptographic
libraries at the same time, but for different purposes.
Application built for Windows may well use schannel for establishing
HTTPS connections and OpenSSL for encrypting the local files.
Then a security vulnerability in OpenSSL's TLS implementation won't affect
the application.
--
Regards,
Hubert Kario
Principal Quality Engineer, RHEL Crypto team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
