Re: Need new psqlODBC release to update OpenSSL again

On Sat, Jun 7, 2014 at 3:32 AM, Inoue, Hiroshi <inoue(at)tpf(dot)co(dot)jp> wrote:
>
>
> (2014/06/06 17:25), Dave Page wrote:
>>
>> On Fri, Jun 6, 2014 at 5:16 AM, Inoue, Hiroshi <inoue(at)tpf(dot)co(dot)jp> wrote:
>>>
>>> (2014/06/06 8:02), Michael Paquier wrote:
>>>>
>>>>
>>>> On Fri, Jun 6, 2014 at 6:50 AM, Dave Page <dpage(at)pgadmin(dot)org> wrote:
>>>>>
>>>>>
>>>>> On Thu, Jun 5, 2014 at 10:35 PM, Inoue, Hiroshi <inoue(at)tpf(dot)co(dot)jp>
>>>>> wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>> (2014/06/05 22:19), Heikki Linnakangas wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> OpenSSL version 1.0.1h was released today, fixing several new
>>>>>>> vulnerabilities. Looks like we need to make a new psqlODBC release
>>>>>>> again, to
>>>>>>> get these fixed on Windows..
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Does this mean that we simply replace the ssl related dlls packaged in
>>>>>> psqlodbc.msi
>>>>>> and psqlodbc_x64.msi of the release 9.03.0300?
>>>>>
>>>>>
>>>>>
>>>>> You may also need to bump the version number in the MSI/MSM packages
>>>>> to ensure the upgrade happens.
>>>>
>>>>
>>>> Perhaps we should directly do a new release, commit 9e71e4d fixed as
>>>> well a problem with connection closed when queries are sent.
>>>
>>>
>>>
>>> Why are we forced new releases so often due to bugs of openssl
>>> libraries? I'd like to reflect some changes for the next release
>>> but it would take some time. In additon I've had little time to
>>> test recent changes.
>>
>>
>> That's the nature of releasing software the relies on third-party
>> security components unfortunately. EDB have to put the work of a dozen
>> or so people on hold for a week every time this happens :-/
>>
>>> All package files at http://www.postgresql.org/ftp/odbc/versions
>>> /msi(mm or dll) may contain old openssl dlls. If the dlls are so
>>> risky, shoudn't we remove the package files?
>>
>>
>> Probably, yes.
>>
>>> Simply repackaging Windows 9.03.0300 version (or other versions as
>>> well?) replacing openssl dlls by new ones is unfavorable?
>>
>>
>> Users typically won't update the files though, no matter how much you
>> try to put notices and warnings in front of them.
>
>
> What I mean is that I don't prefer to take in other changes for
> this release and would like to release a Windows limited version.
> As you say the Product version must be bumped up at least.

Oh, for sure. There's no need to update anything else, unless you want to.

>> Even aside from
>> that, we've been working hard in recent years to make it easier for
>> users to get started and having them manually update things is a big
>> step backwards. Last but not least - manually updating files from an
>> MSI package can cause problems with the Windows Installer.
>
>
> ISTM the new release isn't a kind of "we are pleased to announce" one.
> Maybe we would have to announce existent drivers are poisons.
>
> Anyway I'm inclined to separate third party libraries from psqlodbc.msi
> e.g. in the next major version up.

Please don't - that'll just make it harder for all users to get things right.

--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company