tom callaway (spot) wrote in logjam,
tom callaway

new logjam RPMS

After much discussion towards the end of last week with evan & shacker, it was discovered that Mandrake puts its ssl libs in /usr/lib, instead of /lib, throwing off the RPM autodependencies for the ssl libs. I'd wager that other distributions do as well, so I redid the 3.0.0 rpms using curl & curl-devel instead of curl-ssl & curl-ssl-devel. Release 7 is SSL free.

Update: Ok, I was wrong. Here's why the RPMs don't work on Mandrake. To ensure binary compatibility between openssl 0.9.5 and 0.9.6, Red Hat upped the so.# on the libssl file. Mandrake just dropped openssl 0.9.5 altogether, and never bumped the so.#. They weren't required to, and likely, most distributions had no need to. But this is why the libssl dep failed for shacker, because it was looking for a when Mandrake had a I discussed with our openssl maintainer the possibility of looking for both .so.2 and .so.0, but we ended up agreeing that it was a very bad idea, since it would be impossible to guarantee that any given distribution would compile ssl with the same subversion or algorithms, and openssl is not binary compatible between releases. The answer is probably the same as the original answer: If you're using Red Hat, you're fine. If you're using Mandrake or another RPM based distro, you'll want to rebuild the curl-ssl SRPM, so that it can link against the correct version of openssl, install the curl-ssl and curl-ssl-devel that match your system, then rebuild the logjam-ssl SRPM (when it reappears, after licensing issues get straightened out) and install that. Its the only way to be sure. If there's enough demand, I'd be happy to host -mdk versions of the -ssl rpms, but I'm not going to build them myself.

And now, my original reasoning for using ssl enabled curl packages: I like security. Most of you probably do too, I know a lot of people enjoy the ability to do friends only or private posts, or to at least have the option available to them should they ever find the need. Unfortunately, when livejournal login information and content is sent plaintext across the <sarcasm> incredibly secure network known as the Internet </sarcasm>, its as good as public. Encryption is better security, IMHO, and SSL encryption is your friend. Currently, none of the livejournal clients are SSL enabled (to my knowledge, I haven't used the windows clients in eons) and the web update isn't HTTPS (or with the option to use it). I realize that using SSL encryption for authentication and posting would require development work on the LiveJournal servers themselves, and the clients would also have to add code for such functionality, but I think its worth it for privacy, and would also be a useful feature to help LiveJournal gain corporate/educational acceptance.

So I built the logjam rpms with curl-ssl, in the hopes that it would help lay a foundation for an SSL enabled LiveJournal.
  • Post a new comment


    default userpic
    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.