Date: Sun, 27 Apr 2014 08:29:01 -0700 From: Paul Hoffman <paul.hoffman@vpnc.org> To: freebsd-security@freebsd.org Subject: Re: ports requiring OpenSSL not honouring OpenSSL from ports Message-ID: <AFCC7276-2C8F-423E-A417-AE492F5162E6@vpnc.org> In-Reply-To: <201404271508.s3RF8sMA014085@catnip.dyslexicfish.net> References: <201404271508.s3RF8sMA014085@catnip.dyslexicfish.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Apr 27, 2014, at 8:08 AM, Jamie Landeg-Jones <jamie@dyslexicfish.net> wrote: > Basically what I'm asking: Shouldn't a port that uses OpenSSL *always* > build against the port if it's installed? Yes, that is a reasonable expectation. I certainly had it in my head when I rebuilt Sendmail+TLS after heartbleed, but I didn't think of checking it. > I realise this isn't always possible to test, especially if the port Makefile > doesn't have any openSSL configuration options, but I'd like to hear > others opinions on the matter. It would be good to add such options to as many ports as possible if it can be done cleanly. Also, note that this is not bashing on OpenSSL: given their new significant funding, I would certainly expect the OpenSSL project to be finding-and-fixing Heartbleed-level bugs repeatedly in the coming years. It is basically impossible to fix such a bug without bad actors being able to determine and exploit some of the fixes in unpatched systems. --Paul Hoffman
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AFCC7276-2C8F-423E-A417-AE492F5162E6>