From owner-freebsd-security@FreeBSD.ORG Sat May 16 14:20:04 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 81210A2E for ; Sat, 16 May 2015 14:20:04 +0000 (UTC) Received: from mail-la0-x232.google.com (mail-la0-x232.google.com [IPv6:2a00:1450:4010:c03::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 055ED1BC7 for ; Sat, 16 May 2015 14:20:04 +0000 (UTC) Received: by laat2 with SMTP id t2so161092899laa.1 for ; Sat, 16 May 2015 07:20:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=qQ1KCBRjnwUXhvhM44NDe11JQtHJ28zBOO8gbVQDUPQ=; b=lq/gvNah4noSWvMViKdXSLW+Qjasgf1ZV5NtT6VTLSQcdAbBWVQ4XH+8g2xNtgfpO/ 8FIN30Cya9urmemXZJDWnj8MuEToT2qKOAgZK7GtbvNZkS0hDDE1whgVBuuuBHsZcZTq FAN7Sg6emrduFdLY8a1yaanbTqk1pv4CPkSc+kthek7uquDfvx1DAy9G1nRbeOA6x+wi zpMwkMbT1vRKdlnSREW1FhC5GfALyAx/aUZ8SVNeLwdgzysd5H9ATWzgFKwlag8FfK64 BHPJQsJyEqTmRfbtJxoDzhc04C74jpydFW8h5Qh4e+nQFtJVAIQeA0JxhVzW54Kjs8pL jMUQ== MIME-Version: 1.0 X-Received: by 10.112.17.8 with SMTP id k8mr11031876lbd.28.1431786001886; Sat, 16 May 2015 07:20:01 -0700 (PDT) Received: by 10.152.137.193 with HTTP; Sat, 16 May 2015 07:20:01 -0700 (PDT) In-Reply-To: <20150515183437.E09DAA33@hub.freebsd.org> References: <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <5554879D.7060601@obluda.cz> <1431697272.3528812.269632617.29548DB0@webmail.messagingengine.com> <20150515152220.C0CC7689@hub.freebsd.org> <1431705766.3563083.269738569.0FA82C3E@webmail.messagingengine.com> <20150515183437.E09DAA33@hub.freebsd.org> Date: Sat, 16 May 2015 17:20:01 +0300 Message-ID: Subject: Re: Forums.FreeBSD.org - SSL Issue? From: Kimmo Paasiala To: Roger Marquis Cc: freebsd-security Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 May 2015 14:20:04 -0000 On Fri, May 15, 2015 at 9:34 PM, Roger Marquis wrote: > Mark Felder wrote: >>> >>> Another option is a second openssl port, one that overwrites base and >>> guarantees compatibility with RELEASE. Then we could at least have all >>> versions of openssl in vuln.xml (not that that's been a reliable >>> indicator of security of late). >>> >> >> This will never work. You can't guarantee compatibility with RELEASE and >> upgrade it too. > > > How do you figure? RedHat does exactly that with every backport, and > they do it for the life of a release. > > Roger > Redhat makes no promise of binary compatibility for locally compiled software. They can update OpenSSL as they wish from version 1.0.1 to 1.0.2, recompile all affected packages (all of Redhat "userland" is covered by .rpm packages) and push them to the users and advise users of locally compiled software to recompile what they have. This is unacceptable in FreeBSD that makes a hard promise that the ABI will remain compatible troughout the whole lifetime of the same major version line. -Kimmo