From owner-freebsd-security@freebsd.org  Fri Dec 11 21:44:15 2020
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id A60F04BB8D2
 for <freebsd-security@mailman.nyi.freebsd.org>;
 Fri, 11 Dec 2020 21:44:15 +0000 (UTC)
 (envelope-from franco@lastsummer.de)
Received: from host64.shmhost.net (host64.shmhost.net [213.239.241.64])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 4Ct4726Y0jz3C9n
 for <freebsd-security@freebsd.org>; Fri, 11 Dec 2020 21:44:14 +0000 (UTC)
 (envelope-from franco@lastsummer.de)
Received: from p200300cd8727c9fca4b593819ba8e1d5.dip0.t-ipconnect.de
 (p200300cd8727c9fca4b593819ba8e1d5.dip0.t-ipconnect.de
 [IPv6:2003:cd:8727:c9fc:a4b5:9381:9ba8:e1d5])
 by host64.shmhost.net (Postfix) with ESMTPSA id 4Ct4710S3BzNsSp;
 Fri, 11 Dec 2020 22:44:13 +0100 (CET)
Content-Type: text/plain;
	charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl
From: Franco Fichtner <franco@lastsummer.de>
In-Reply-To: <20201211201331.GJ64351@kduck.mit.edu>
Date: Fri, 11 Dec 2020 22:44:09 +0100
Cc: Martin Simmons <martin@lispworks.com>,
 pi8Raiwi via freebsd-security <freebsd-security@freebsd.org>
Content-Transfer-Encoding: 7bit
Message-Id: <83CE80AC-DBBE-49DC-B469-12E004739C51@lastsummer.de>
References: <202012111219.0BBCJYSf000629@higson.cam.lispworks.com>
 <612054DD-F857-455F-AF49-695A910A0D81@lastsummer.de>
 <20201211201331.GJ64351@kduck.mit.edu>
To: Benjamin Kaduk <kaduk@mit.edu>
X-Mailer: Apple Mail (2.3608.120.23.2.4)
X-Virus-Scanned: clamav-milter 0.102.4 at host64.shmhost.net
X-Virus-Status: Clean
X-Rspamd-Queue-Id: 4Ct4726Y0jz3C9n
X-Spamd-Bar: ++
Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none;
 spf=none (mx1.freebsd.org: domain of franco@lastsummer.de has no SPF policy
 when checking 213.239.241.64) smtp.mailfrom=franco@lastsummer.de
X-Spamd-Result: default: False [2.36 / 15.00]; RCVD_TLS_ALL(0.00)[];
 RCVD_VIA_SMTP_AUTH(0.00)[]; MID_RHS_MATCH_FROM(0.00)[];
 FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3];
 MV_CASE(0.50)[]; NEURAL_SPAM_SHORT(0.96)[0.957];
 MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[lastsummer.de];
 ARC_NA(0.00)[]; AUTH_NA(1.00)[];
 SPAMHAUS_ZRD(0.00)[213.239.241.64:from:127.0.2.255];
 TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[];
 NEURAL_SPAM_LONG(1.00)[1.000];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000];
 R_SPF_NA(0.00)[no SPF record];
 RBL_DBL_DONT_QUERY_IPS(0.00)[213.239.241.64:from];
 FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[];
 MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:24940, ipnet:213.239.192.0/18, country:DE];
 RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-security]
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Dec 2020 21:44:15 -0000

Hi Ben,

> On 11. Dec 2020, at 9:13 PM, Benjamin Kaduk <kaduk@mit.edu> wrote:
> 
> Could you please clarify what you mean by "second tier crypto" and "first
> tier crypto"?  I'm having a hard time understanding this statement.

Sorry for being unclear.

First tier = base system crypto for ports
Second tier = ports/packages crypto for ports

It's also true what John-Mark wrote that moving ports to ports-based
crypto does not solve security updates for the dependent base system
parts.  pkg-base can fix this, but then that also requires to stay
clear of package ABI clashes in dependent packages, which requires
concerted updates of base and ports packages or at least some sort of
version constraint / mismatch detection via something other than the
FreeBSD version number.


Cheers,
Franco