Evening, gang.
Following a discussion earlier about running-as-root, and various other mitigations required for secure Puppy operation, I decided to do a wee bit of research.
Two things that were mentioned were the need to maintain an up-to-date OpenSSL install, along with up-to-date CA certificates. A plan began to hatch...
OpenSSL requires correspondingly up-to-date versions of libcrypto and libssl. Now, from my own past experience with these, I know for a fact that the repos of older Pups, in particular, will only ever produce the last version made available for them.......which in many cases, is hopelessly out-of-date, and long out of support. This in turn means that you can't use bang up to date CA certs, since newer releases will be expecting newer builds of libcrypto/libssl. Sometimes you can get away with a re-named sym-link, but not often. Anyways.....
Recent experience with John van Sickle's statically-compiled builds of ffmpeg has shown me the value of this type of build, since everything required by the binary is included internally at build time. These can be dropped into Pups of any age - back to at least a certain point, anyway - and still give modern capabilities in a distro that often was built before these newer capabilities were even thought of.
Which is pretty neat. Anybody see where this is heading? 
----------------------------------------------
I found my way to the OpenSSL main website. Now, most mentions of OpenSSL around these parts have usually been to do with 1.1.1, the outgoing LTS release. However, it turns out that the last build of this, 1.1.1u, runs out of support in a matter of weeks. As y'all know, I usually don't worry too much about using older apps & software.....except where internet-facing stuff is concerned. Here, I am pretty strict about keeping stuff up to date.
The newest build is 3.2, but the current LTS build, v 3.0.9, is supported until April 2026.....at least another 2 1/2 years. I did some more digging, and found this site:-
https://freecoder.dev/compile-openssl-from-source/
....that gives quite comprehensive build instructions for compiling OpenSSL from the source code. AND......instructions for how to do a 'static' compile. Which for someone with my miserable compiling skills, was pretty useful, sooo.... 
-----------------------------------
Series 3 OpenSSL also needs libcrypto3, along with libssl3. Some more digging revealed that my test install of jrb's Jammypup64 comes with these pre-installed. So, I loaded up the Devx and kernel-sources SFSs, and set in motion a static compile of OpenSSL 3.0.9. Fingers crossed, I hit 'Enter', annnd.....blow me down if it wasn't successful. Nice one!
I searched through the Debian package listings to find the most up-to-date CA certificates in the 'Bookworm' Miscellaneous section. Accordingly, here's a 64-bit package that combines this static build of OpenSSL along with the very newest up-to-date CA certs.
I've already been running this for several hours in my recent custom Tahrpup64 install. Absolutely no 'side-effects' of any kind; it seems to be running as sweet as a nut, so far.
If anybody wants to take advantage of this 'drop-in' upgrade, y'all can find the .pet here:-
https://www.mediafire.com/folder/efcie6 ... ts+upgrade
Navigate through, and help yourselves. Use at your own risk, obviously.
The Tahr64 trial is taking place in a 'duplicate' install ATM, but I've noticed no adverse behaviour as yet. I've just installed this in Xenialpup64 on the 'new' Dell Latitude lappie, and again, it's giving zero issues.
(I guess I could do a 32-bit one, too, but I'm not at all certain what, if any, 'current' 32-bitzers have the required newer builds of libcrypto & libssl...)
We'll see.
It's nowt special, but it'll help to secure at least a part of your Puppies. Hope it's useful!
Mike. 
