Re: Need new psqlODBC release to update OpenSSL again - Mailing list pgsql-odbc

Hi.

Sorry very late reaction.

I check, test and packaging that replaced the only library of openssl
release of the final version 09.03.0300. then, assigned branch number
the file name is incremented.
ex.) psqlodbc_09_03_0300-1.zip

I will upload if there is no objection.

Regards,
Hiroshi Saito

(2014/06/07 19:21), Dave Page wrote:
> On Sat, Jun 7, 2014 at 3:32 AM, Inoue, Hiroshi <inoue@tpf.co.jp> wrote:
>>
>>
>> (2014/06/06 17:25), Dave Page wrote:
>>>
>>> On Fri, Jun 6, 2014 at 5:16 AM, Inoue, Hiroshi <inoue@tpf.co.jp> wrote:
>>>>
>>>> (2014/06/06 8:02), Michael Paquier wrote:
>>>>>
>>>>>
>>>>> On Fri, Jun 6, 2014 at 6:50 AM, Dave Page <dpage@pgadmin.org> wrote:
>>>>>>
>>>>>>
>>>>>> On Thu, Jun 5, 2014 at 10:35 PM, Inoue, Hiroshi <inoue@tpf.co.jp>
>>>>>> wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> (2014/06/05 22:19), Heikki Linnakangas wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> OpenSSL version 1.0.1h was released today, fixing several new
>>>>>>>> vulnerabilities. Looks like we need to make a new psqlODBC release
>>>>>>>> again, to
>>>>>>>> get these fixed on Windows..
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Does this mean that we simply replace the ssl related dlls packaged in
>>>>>>> psqlodbc.msi
>>>>>>> and psqlodbc_x64.msi of the release 9.03.0300?
>>>>>>
>>>>>>
>>>>>>
>>>>>> You may also need to bump the version number in the MSI/MSM packages
>>>>>> to ensure the upgrade happens.
>>>>>
>>>>>
>>>>> Perhaps we should directly do a new release, commit 9e71e4d fixed as
>>>>> well a problem with connection closed when queries are sent.
>>>>
>>>>
>>>>
>>>> Why are we forced new releases so often due to bugs of openssl
>>>> libraries? I'd like to reflect some changes for the next release
>>>> but it would take some time. In additon I've had little time to
>>>> test recent changes.
>>>
>>>
>>> That's the nature of releasing software the relies on third-party
>>> security components unfortunately. EDB have to put the work of a dozen
>>> or so people on hold for a week every time this happens :-/
>>>
>>>> All package files at http://www.postgresql.org/ftp/odbc/versions
>>>> /msi(mm or dll) may contain old openssl dlls. If the dlls are so
>>>> risky, shoudn't we remove the package files?
>>>
>>>
>>> Probably, yes.
>>>
>>>> Simply repackaging Windows 9.03.0300 version (or other versions as
>>>> well?) replacing openssl dlls by new ones is unfavorable?
>>>
>>>
>>> Users typically won't update the files though, no matter how much you
>>> try to put notices and warnings in front of them.
>>
>>
>> What I mean is that I don't prefer to take in other changes for
>> this release and would like to release a Windows limited version.
>> As you say the Product version must be bumped up at least.
>
> Oh, for sure. There's no need to update anything else, unless you want to.
>
>>> Even aside from
>>> that, we've been working hard in recent years to make it easier for
>>> users to get started and having them manually update things is a big
>>> step backwards. Last but not least - manually updating files from an
>>> MSI package can cause problems with the Windows Installer.
>>
>>
>> ISTM the new release isn't a kind of "we are pleased to announce" one.
>> Maybe we would have to announce existent drivers are poisons.
>>
>> Anyway I'm inclined to separate third party libraries from psqlodbc.msi
>> e.g. in the next major version up.
>
> Please don't - that'll just make it harder for all users to get things right.
>
>