On Fri, Dec 6, 2013 at 3:44 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> Magnus Hagander <magnus@hagander.net> writes:
> > I think that basically says you need openssl from 6.5 to make it work.
> But
> > you don't need a full update to 6.5. I think that dependency should sitll
> > be fixed.
>
> Essentially, you're asking Devrim to downgrade his build box to a known
> insecure version of OpenSSL. I won't be surprised if his answer isn't
> printable. It almost certainly won't be "okay".
>
No, I'm not. But that's maybe because I don't know how those things are set
up.
What I'm asking for is the 9.2 postgresql packages to depend on a version
of openssl that's present in 6.4. If the user is on 6.5, it will still
match, and not be a problem.
I don't know how it works in the RedHat world, but in debian that would
just be a "depend on openssl version x.y.z or higher". I can't believe
that's too hard.
> (And no, I don't have a lot of sympathy for people running RHEL without
> a subscription.)
>
That's not the usecase I care about. I don't have any sympathy for those
either.
I'm talking about the people who have not yet upgraded to 6.5, since it was
only released two weeks ago. You know, kind of like how we still support
9.2 even though 9.3 was released months ago. But those people can no longer
upgrade PostgreSQL to a release that doesn't contain known dataloss bugs.
(Actually they can, by manually installing openssl from 6.5 first - but
that's really more of a workaround than a fix)
It might be that it's too much work to deal with something like that. I
just wanted it to be properly investigate that this really is that case. It
just seems to be that it *should* be an easy fix, but maybe it's not.
--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
