From owner-freebsd-security@freebsd.org Fri Dec 11 21:44:15 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id A60F04BB8D2 for ; Fri, 11 Dec 2020 21:44:15 +0000 (UTC) (envelope-from franco@lastsummer.de) Received: from host64.shmhost.net (host64.shmhost.net [213.239.241.64]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4Ct4726Y0jz3C9n for ; Fri, 11 Dec 2020 21:44:14 +0000 (UTC) (envelope-from franco@lastsummer.de) Received: from p200300cd8727c9fca4b593819ba8e1d5.dip0.t-ipconnect.de (p200300cd8727c9fca4b593819ba8e1d5.dip0.t-ipconnect.de [IPv6:2003:cd:8727:c9fc:a4b5:9381:9ba8:e1d5]) by host64.shmhost.net (Postfix) with ESMTPSA id 4Ct4710S3BzNsSp; Fri, 11 Dec 2020 22:44:13 +0100 (CET) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\)) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl From: Franco Fichtner In-Reply-To: <20201211201331.GJ64351@kduck.mit.edu> Date: Fri, 11 Dec 2020 22:44:09 +0100 Cc: Martin Simmons , pi8Raiwi via freebsd-security Content-Transfer-Encoding: 7bit Message-Id: <83CE80AC-DBBE-49DC-B469-12E004739C51@lastsummer.de> References: <202012111219.0BBCJYSf000629@higson.cam.lispworks.com> <612054DD-F857-455F-AF49-695A910A0D81@lastsummer.de> <20201211201331.GJ64351@kduck.mit.edu> To: Benjamin Kaduk X-Mailer: Apple Mail (2.3608.120.23.2.4) X-Virus-Scanned: clamav-milter 0.102.4 at host64.shmhost.net X-Virus-Status: Clean X-Rspamd-Queue-Id: 4Ct4726Y0jz3C9n X-Spamd-Bar: ++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of franco@lastsummer.de has no SPF policy when checking 213.239.241.64) smtp.mailfrom=franco@lastsummer.de X-Spamd-Result: default: False [2.36 / 15.00]; RCVD_TLS_ALL(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; MV_CASE(0.50)[]; NEURAL_SPAM_SHORT(0.96)[0.957]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[lastsummer.de]; ARC_NA(0.00)[]; AUTH_NA(1.00)[]; SPAMHAUS_ZRD(0.00)[213.239.241.64:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; NEURAL_SPAM_LONG(1.00)[1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_SPF_NA(0.00)[no SPF record]; RBL_DBL_DONT_QUERY_IPS(0.00)[213.239.241.64:from]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:24940, ipnet:213.239.192.0/18, country:DE]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Dec 2020 21:44:15 -0000 Hi Ben, > On 11. Dec 2020, at 9:13 PM, Benjamin Kaduk wrote: > > Could you please clarify what you mean by "second tier crypto" and "first > tier crypto"? I'm having a hard time understanding this statement. Sorry for being unclear. First tier = base system crypto for ports Second tier = ports/packages crypto for ports It's also true what John-Mark wrote that moving ports to ports-based crypto does not solve security updates for the dependent base system parts. pkg-base can fix this, but then that also requires to stay clear of package ABI clashes in dependent packages, which requires concerted updates of base and ports packages or at least some sort of version constraint / mismatch detection via something other than the FreeBSD version number. Cheers, Franco