dev-lang/anubis is a binary only software with no new releases and no maintainer in gentoo. it needs lib{ssl,crypto}.so.0.9.7 which it shipped with it as binary form also.. security, please advise should we (treecleaners) mask it for removal.
is there some kind of equivalent of this package in our tree? In any case, binary only means there's nothing we can do about it... Has upstream been contacted about this? Seems it's a french team, I can try to contact them to expose the problem and see what they say. I guess it's not much work to use external openssl/libcrypto...
I've mailed upstream, no response yet and I've also masked it for time being, # Samuli Suominen <drac@gentoo.org> (08 Oct 2007) # Binary only package shipping vulnerable OpenSSL and links against # it. Masked for removal, unless upstream releases a new version # or provides us with source. Bug 194287. dev-lang/anubis
Upstream responded as following: <snip> Hi, Thank you very much for your mail. Right now Anubis language is link against the OpenSSL 0.9.8b. We will update the package of Anubis language 1.7.0.1 to 0.9.8e as soon as possible. And for the new version 1.8.x still in beta test, we try to make an external link only. Because the programmers of Anubis has not so much time, we please you to wait less than one week for an update of that package. Best regards David RENE Anubis Team Manager </snip> waiting then..
setting to enhancement as it's p.masked, ping back when upstream releases a fixed version.
(In reply to comment #4) > setting to enhancement as it's p.masked, ping back when upstream releases a > fixed version. > they didn't and I've punted the thing from tree