[16.18][linux] OpenSSL 1.0.1 is outdated

This subforum contains all the issues which we already resolved.
Post Reply
kitcat
Long Handed Inserter
Long Handed Inserter
Posts: 66
Joined: Wed Apr 26, 2017 3:11 pm
Contact:
Contact kitcat

[16.18][linux] OpenSSL 1.0.1 is outdated

Post by kitcat »

The Linux version of Factorio ships with OpenSSL 1.0.1f compiled into it (56934), which is now over four years old, outdated and insecure. 1.0.1 is EOL and unmaintained since December 2016.
Please update to OpenSSL 1.0.2, which is an LTS version with support until at least December 2019.

If possible, use the up-to-date OpenSSL 1.0.2 library available on the system instead of shipping your own. 1.0.2 is included in Ubuntu since 16.04, Debian Stable (and Oldstable via backports) and pretty much all other non-ancient Linux distributions.

If you’re worried about anyone really not having OpenSSL 1.0.2, you could include a precompiled library that only gets used as a fallback if no compatible version is found on the system. If you’re extra worried about incompatibilites, add a --prefer-included-libs option too. Actually, I would prefer dynamically linked libraries (with precompiled fallbacks) for all the other currently statically included libraries as well (libpng, libcurl, etc), so that up-to-date libraries get used whenever possible.
Top
User avatar
HanziQ
Former Staff
Former Staff
Posts: 630
Joined: Fri Mar 27, 2015 7:07 am
Contact:
Contact HanziQ

Re: [16.18][linux] OpenSSL 1.0.1 is outdated

Post by HanziQ »

Ubuntu 14 LTS is still supported and ships 1.0.1. I'd prefer statically linking everything and having outdated versions, rather then having to deal with users that for some reason don't have the libraries, or don't have the correct versions.

We'll be statically linking 1.1.0 soon.
Top
kitcat
Long Handed Inserter
Long Handed Inserter
Posts: 66
Joined: Wed Apr 26, 2017 3:11 pm
Contact:
Contact kitcat

Re: [16.18][linux] OpenSSL 1.0.1 is outdated

Post by kitcat »

HanziQ wrote:Ubuntu 14 LTS is still supported and ships 1.0.1.
It’s still supported for servers but not desktops. Is headless Factorio enough for that? :-/
HanziQ wrote: I'd prefer statically linking everything and having outdated versions, rather then having to deal with users that for some reason don't have the libraries, or don't have the correct versions.
Hence my suggestion to ship with fallback libs and adding an option to prefer the included fallback libs over the system libs.
Alternatively, I’d like to see you shipping shared libs and preferring those over system libs but giving the user an option to prefer system libs or simply the possibility to replace the shipped libs. Anyone attempting that should know enough to fix the resulting mess if anything goes wrong. ;)
HanziQ wrote: We'll be statically linking 1.1.0 soon.
Thanks.
Top
Post Reply

Return to “Resolved Problems and Bugs”