[Info-vax] OpenSSL CSWS-2.2-1

Stephen Hoffman seaohveh at hoffmanlabs.invalid
Tue Apr 30 11:50:05 EDT 2019 

On 2019-04-30 01:53:39 +0000, Arne Vajhj said:

> On 4/29/2019 2:30 PM, Craig A. Berry wrote:
>> 
>> I agree, but I'm actually talking about product names not version 
>> numbers. If you want to simultaneously support two different versions 
>> that are not binary compatible with each other, you need different 
>> product names and they need to appear not just in the kit names but 
>> also in the filenames of whatever libraries end up in sys$share or 
>> sys$library, not to mention system-level logical names.
> 
> This is only a problem if products insist on dumping their stuff into 
> the operating systems structure.
> 
> Very common across operating systems.
> 
> But still a bad idea in my opinion.

OpenVMS itself encourages the scatter-shot installation misbehavior, 
requiring logical names if the message file and shareable images and 
whatnot are to be isolated from a bespoke bundle.   Wouldn't surprise 
me to see VSI start to take a few swings at this and related problems, 
at least for themselves and their layered products, and sometime after 
the port is available.

As for OpenSSL, one of the few precedents for installing parallel 
versions—and one of the few that works—is multi-version Rdb.  There's 
little (no?) documentation on what's involved with that too, and it's 
easy to get it wrong.

And as for OpenSSL, the API changes are almost certainly going to 
continue, which means we re-code and update our apps for those and/or 
migrate to a VSI or third-party API.  Or we embed the required versions 
in the app directory, which is probably where we're headed.  Downside 
of embedding OpenSSL or other dependencies: chasing individual app 
updates because of vulnerabilities in the OpenSSL or other 
dependencies.  Which means that easier and more automated and faster 
patch notification and update notification and patch and update 
application paths are necessary.

For those folks that haven't seen what can be available for maintaining 
and updating apps: https://sparkle-project.org

We ain't headed back to the era of small disks or infrequent updates or 
limited vulnerabilities.  We have what we have.  And we have the trends 
we have.  And the treadmill we're all on around patches and upgrades is 
only going to accelerate.

ps: "There are only two hard things in Computer Science: cache 
invalidation, naming things, and off-by-one errors."

-- 
Pure Personal Opinion | HoffmanLabs LLC

More information about the Info-vax mailing list