Date: Fri, 15 May 2015 08:22:07 -0700 (PDT) From: Roger Marquis <marquis@roble.com> To: freebsd-security@freebsd.org Subject: Re: Forums.FreeBSD.org - SSL Issue? In-Reply-To: <1431697272.3528812.269632617.29548DB0@webmail.messagingengine.com> References: <CACRVPYOALi-V8D34zeJTYdSwHshYrqtttqVV3=aP8Yb6ZAxfyg@mail.gmail.com> <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <F2460C80-969A-46DF-A44F-6C3D381ABDC3@patpro.net> <5554879D.7060601@obluda.cz> <1431697272.3528812.269632617.29548DB0@webmail.messagingengine.com>
| previous in thread | raw e-mail | index | archive | help
Mark Felder wrote: > In the future FreeBSD's base libraries like OpenSSL hopefully will be > private: only the base system knows they exist; no other software will > see them. This will mean that every port/package you install requiring > OpenSSL will *always* use OpenSSL from ports/packages; no conflict is > possible. That's one way of approaching it but there are drawbacks to this method. Maintaining two sets of binaries and libraries that must be kept separate (using what kind of ACLs?) adds complexity. Complexity is the enemy of security. Another option is a second openssl port, one that overwrites base and guarantees compatibility with RELEASE. Then we could at least have all versions of openssl in vuln.xml (not that that's been a reliable indicator of security of late). Roger Marquis