On 24 March 2014 22:39, M.-A. Lemburg <mal at egenix.com> wrote: > On 24.03.2014 13:33, Antoine Pitrou wrote: >> Under Linux (and probably OS X too), the _ssl module is linked >> dynamically with OpenSSL: >> >> $ ldd build/lib.linux-x86_64-2.7-pydebug/_ssl.so >> linux-vdso.so.1 => (0x00007fff3f1de000) >> libssl.so.1.0.0 => /lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x00007fd8853ea000) >> libcrypto.so.1.0.0 => /lib/x86_64-linux-gnu/libcrypto.so.1.0.0 (0x00007fd885010000) >> libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fd884df1000) >> libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fd884a2b000) >> libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fd884827000) >> /lib64/ld-linux-x86-64.so.2 (0x00007fd885868000) > > Right, and it's using the system library, not a private copy - which > can be both good and bad depending on how recent the system's library > version is. Even if *we* statically linked OpenSSL on Linux, you can bet distro vendors would switch it back to dynamic linking. Hence the comment in the PEP about vendor provided OpenSSL updates mitigating some of the concerns on Linux (defaulting not all of them though - it's still far too easy for developers to make mistakes and too hard from them to do the right thing from a security perspective). You also reminded me that I need to dig around for and reference Ned's email about the status of OS X and reference that (OpenSSL upgrades were a casualty of Apple's anti-GPL crusade, so the OS X installers were switched to static linking somewhere along the line). Cheers, Nick. -- Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4