Date: Sun, 17 May 2015 13:41:58 -0700 From: Mel Pilgrim <list_freebsd@bluerosetech.com> To: Kimmo Paasiala <kpaasial@gmail.com> Cc: freebsd-security <freebsd-security@freebsd.org> Subject: Re: Forums.FreeBSD.org - SSL Issue? Message-ID: <5558FD16.104@bluerosetech.com> In-Reply-To: <CA%2B7WWSf=vhw1Yh%2BYSvSxt4zP-NYADT6R4MceSuwLSO=1-sWJwA@mail.gmail.com> References: <CACRVPYOALi-V8D34zeJTYdSwHshYrqtttqVV3=aP8Yb6ZAxfyg@mail.gmail.com> <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <F2460C80-969A-46DF-A44F-6C3D381ABDC3@patpro.net> <5554879D.7060601@obluda.cz> <1431697272.3528812.269632617.29548DB0@webmail.messagingengine.com> <20150515152220.C0CC7689@hub.freebsd.org> <1431705766.3563083.269738569.0FA82C3E@webmail.messagingengine.com> <20150515183437.E09DAA33@hub.freebsd.org> <CA%2B7WWSf=vhw1Yh%2BYSvSxt4zP-NYADT6R4MceSuwLSO=1-sWJwA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2015-05-16 07:20, Kimmo Paasiala wrote: > On Fri, May 15, 2015 at 9:34 PM, Roger Marquis <marquis@roble.com> wrote: >> Mark Felder wrote: >>>> >>>> Another option is a second openssl port, one that overwrites base and >>>> guarantees compatibility with RELEASE. Then we could at least have all >>>> versions of openssl in vuln.xml (not that that's been a reliable >>>> indicator of security of late). >>> >>> This will never work. You can't guarantee compatibility with RELEASE and >>> upgrade it too. >> >> How do you figure? RedHat does exactly that with every backport, and >> they do it for the life of a release. > > Redhat makes no promise of binary compatibility for locally compiled > software. They can update OpenSSL as they wish from version 1.0.1 to > 1.0.2, recompile all affected packages (all of Redhat "userland" is > covered by .rpm packages) and push them to the users and advise users > of locally compiled software to recompile what they have. This is > unacceptable in FreeBSD that makes a hard promise that the ABI will > remain compatible troughout the whole lifetime of the same major > version line. I'm really glad that FreeBSD makes that promise. It means I have a long-lived and well-defined scope of compatibility for a given system. It makes freebsd-update and pkg possible in production. I no longer have to deal with localized system images. That's paired with support for linking to openssl from ports and FreeBSD's recent direction of decoupling network services from the base. I have systems where all of the user-facing services link to openssl 1.0.2 even though the base OS doesn't. That means the time it will take to reimplement and test on what will eventually become 11.0 won't interact chronologically with the security needs of my existing deployments on 10.x. It means "following -current in preprod" is no longer part of my dayjob. That's a huge deal.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5558FD16.104>