Date: Fri, 15 May 2015 11:02:46 -0500 From: Mark Felder <feld@FreeBSD.org> To: freebsd-security@freebsd.org Subject: Re: Forums.FreeBSD.org - SSL Issue? Message-ID: <1431705766.3563083.269738569.0FA82C3E@webmail.messagingengine.com> In-Reply-To: <20150515152220.C0CC7689@hub.freebsd.org> References: <CACRVPYOALi-V8D34zeJTYdSwHshYrqtttqVV3=aP8Yb6ZAxfyg@mail.gmail.com> <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <F2460C80-969A-46DF-A44F-6C3D381ABDC3@patpro.net> <5554879D.7060601@obluda.cz> <1431697272.3528812.269632617.29548DB0@webmail.messagingengine.com> <20150515152220.C0CC7689@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, May 15, 2015, at 10:22, Roger Marquis wrote: > Mark Felder wrote: > > In the future FreeBSD's base libraries like OpenSSL hopefully will be > > private: only the base system knows they exist; no other software will > > see them. This will mean that every port/package you install requiring > > OpenSSL will *always* use OpenSSL from ports/packages; no conflict is > > possible. > > That's one way of approaching it but there are drawbacks to this method. > Maintaining two sets of binaries and libraries that must be kept separate > (using what kind of ACLs?) adds complexity. Complexity is the enemy of > security. > It should be less complex than you're thinking. It's literally just libraries outside the linker search path. > Another option is a second openssl port, one that overwrites base and > guarantees compatibility with RELEASE. Then we could at least have all > versions of openssl in vuln.xml (not that that's been a reliable > indicator of security of late). > This will never work. You can't guarantee compatibility with RELEASE and upgrade it too.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1431705766.3563083.269738569.0FA82C3E>