nostr:npub1ysufjjd485tftr4wy2a83fqyqvtfq0yn820gl8vl6hcsdz8uv2hskx2jyl Would an option to do "static except these specific things" make sense? :blobfoxthink: Or are we just back at square one then? Because if OpenSSL can be such a problem, I assume distros make sure they have the newest version any how, so it wouldn't create the compatibility issues we see now. Or am I seeing things too simplistic?
nostr:npub19zcmd845ct95g9q487mr02jzwuhzg4f0knz33prsaq7lw2vcvqxqt5padn Yeah and while distros can get embargos for OpenSSL so they can at least prepare themselves, you're likely not going to.
And OpenSSL is used for HTTPS requests, so pretty much directly network-facing and it can have rather nasty security vulnerabilities.
Discussion
nostr:npub19zcmd845ct95g9q487mr02jzwuhzg4f0knz33prsaq7lw2vcvqxqt5padn Sadly OpenSSL is one of those doubly-annoying libraries that you both do not want to vendor *and* has regular ABI breaks.
Distros should provide older/newer versions as compatibility but neither Debian nor Ubuntu are doing this (and of course they're also a pain to package for…).
It's pretty much a stalemate kind of situation where the only thing you can do is make a bad choice. (And nearly be forced to it because Debian stale also means supporting nearly-EOL versions of Elixir…)
My wish is for Debian to have a non-frozen or at least more up to date repository for things like applications, quite like what you get on the BSD side of things with base system being frozen for long term while ports are being regularly updated (either rolling or snapshots).