Today I see the following:

I uninstalled dev-libs/openssl-0.9.8s-r1 because there is
a GLSA (201110-01 / openssl) against it.

But acroread-9.4.2 wants the installation of
openssl-0.9.8s-r1:

> # emerge -uDpvtN world

These are the packages that would be merged, in reverse
order:

Calculating dependencies... done!
[nomerge ] app-text/acroread-9.4.2 USE="cups ldap
nsplugin -minimal" LINGUAS="de en -fr -ja" [ebuild NS
] dev-libs/openssl-0.9.8s-r1 [1.0.0f-r1] USE="gmp sse2
zlib -bindist -kerberos -test" 0 kB

Total: 1 package (1 in new slot), Size of downloads: 0 kB

The last stable openssl is already installed:
> # eix -I openssl
[i] dev-libs/openssl
Available versions:
(0.9.8) 0.9.8r ~0.9.8s 0.9.8s-r1
(0) 1.0.0d 1.0.0e ~1.0.0e-r1 ~1.0.0f 1.0.0f-r1
{bindist gmp kerberos rfc3779 sse2 static-libs test
zlib}
Installed versions: 1.0.0f-r1(07:52:58 PM
01/16/2012)(gmp sse2 zlib -bindist -kerberos -rfc3779
-static-libs -test)
Homepage: http://www.openssl.org/
Description:

As far as I know acroread is not unmasked in this
installation, nor is openssl
> # grep -i acro /etc/portage/*
> # grep -i ssl /etc/portage/*
shows nothing, so acroread and ssl is «stable».

For now I just uninstalled acroread to prevent the
installation of a buggy openssl version, but this seems
wrong for a mostly stable installation...

Any hints how to proceed? Is there any danger to have an
old (and apparently buggy) openssl lib installed in parallel
with the recent one?

Urs

On Mon, 16 Jan 2012 20:29:28 -0200
Urs Schutz <u.schutz@bluewin.ch> wrote:

> As far as I know acroread is not unmasked in this
> installation, nor is openssl
> > # grep -i acro /etc/portage/*
> > # grep -i ssl /etc/portage/*
> shows nothing, so acroread and ssl is «stable».
>
> For now I just uninstalled acroread to prevent the
> installation of a buggy openssl version, but this seems
> wrong for a mostly stable installation...
>
> Any hints how to proceed? Is there any danger to have an
> old (and apparently buggy) openssl lib installed in parallel
> with the recent one?

That's always a tricky one.

Users want Adobe's shiny stuff and Adobe is notorious for releasing
crap software. For whatever reason, acroread on x86 profile requires
openssl in the 0.9.8 series and that can't be worked around.

The answer to your question is "are you prepared to live with it?"

The GLSA indicates that this is quite a severe issue so maybe it should
be hard masked. However, that will break acroread and there's only one
version in the tree. Hardmask openssl:0.9.8 means hardmask acroread and
that means thousands of whinging users.

So the devs are between a rock and a hard place where all the issues
are out of their control. The only middle path left is to inform all
the users as much as possible and let them decide for themselves.

Personally, I would deep-six acroread and use any one of the many PDF
readers out there.

The tax authority in my country uses new funky PDF features in Reader
for on-line tax returns so I need access to Reader once a year. For
that, there's wine, Windows in VirtualBox or the wife's computer.


--
Alan McKinnnon
alan.mckinnon@gmail.com

On Tue, 17 Jan 2012 12:35:50 +0200
Alan McKinnon <alan.mckinnon@gmail.com> wrote:

> On Mon, 16 Jan 2012 20:29:28 -0200
> Urs Schutz <u.schutz@bluewin.ch> wrote:
>
> > As far as I know acroread is not unmasked in this
> > installation, nor is openssl
> > > # grep -i acro /etc/portage/*
> > > # grep -i ssl /etc/portage/*
> > shows nothing, so acroread and ssl is «stable».
> >
> > For now I just uninstalled acroread to prevent the
> > installation of a buggy openssl version, but this seems
> > wrong for a mostly stable installation...
> >
> > Any hints how to proceed? Is there any danger to have an
> > old (and apparently buggy) openssl lib installed in
> > parallel with the recent one?
>
> That's always a tricky one.
>
> Users want Adobe's shiny stuff and Adobe is notorious for
> releasing crap software. For whatever reason, acroread on
> x86 profile requires openssl in the 0.9.8 series and that
> can't be worked around.
>
> The answer to your question is "are you prepared to live
> with it?"
>
> The GLSA indicates that this is quite a severe issue so
> maybe it should be hard masked. However, that will break
> acroread and there's only one version in the tree.
> Hardmask openssl:0.9.8 means hardmask acroread and that
> means thousands of whinging users.
>
> So the devs are between a rock and a hard place where all
> the issues are out of their control. The only middle path
> left is to inform all the users as much as possible and
> let them decide for themselves.
>
> Personally, I would deep-six acroread and use any one of
> the many PDF readers out there.
>
> The tax authority in my country uses new funky PDF
> features in Reader for on-line tax returns so I need
> access to Reader once a year. For that, there's wine,
> Windows in VirtualBox or the wife's computer.
>
>

Thanks for the reply. I switched to app-text/evince , this
seems fine for just reading pdf.

Urs