Conversation
|
A corresponding discussion is how to make Spack upgrade certain libraries automatically, if e.g. the previous version has a severe security issue. |
|
See my suggestion in #414. I don't really like that this package breaks every time a new release comes out. |
|
I don't like that it breaks either, but it's better than just offering a known-bad version of openssl as well. I think that if it gets a 404, maybe openssl's package class could intercept that, bump the letter and output a message to post an issue here, the mailing list, or, better, how to open a PR with the change here. Also, we're downloading openssl over http which is…not really bad, but definitely not good either. |
|
Can you check if the changes in #414 mitigate the URL issue ? |
|
@alalazo: I actually agree with @mathstuf here -- I think this is annoying but the reason the I like the idea of bumping the version and seeing if a newer tarball is present. The logic in If you want to do the #414 thing, then I think the code should at least warn the user that they're getting an old version of OpenSSL that likely has known security holes. If they say yes to that, then I guess there is not much to be done, although I think we run the risk of conditioning users to robotically consent. It would be nice to avoid that and to do something both convenient and secure. |
|
@tgamblin : I have no strong opinions on OpenSSL installation (I just tried to implement one of the comment suggestion which seemed to me a good default). What would you prefer me to do with that package in #414? Revert it to the current state or add logic to warn / prompt user if they ask for an old release? |
6 participants
openssl often updates their downloads for a particular version by incrementing a letter after the version number. When they do this, they remove the previous lettered version, requiring the package to be updated. This is a bit annoying. Any ideas on how to ameliorate this?