From owner-freebsd-security@FreeBSD.ORG  Wed Jun 11 12:14:49 2014
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 868BE2A8
 for <freebsd-security@freebsd.org>; Wed, 11 Jun 2014 12:14:49 +0000 (UTC)
Received: from smtp1.ms.mff.cuni.cz (smtp1.ms.mff.cuni.cz
 [IPv6:2001:718:1e03:801::4])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 1B8BC2FEE
 for <freebsd-security@freebsd.org>; Wed, 11 Jun 2014 12:14:48 +0000 (UTC)
Received: from kgw.obluda.cz ([194.108.204.138])
 by smtp1.ms.mff.cuni.cz (8.14.5/8.14.5) with ESMTP id s5BCEbOn050036
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=OK);
 Wed, 11 Jun 2014 14:14:45 +0200 (CEST) (envelope-from dan@obluda.cz)
Message-ID: <5398482C.7020406@obluda.cz>
Date: Wed, 11 Jun 2014 14:14:36 +0200
From: Dan Lukes <dan@obluda.cz>
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64;
 rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26
MIME-Version: 1.0
To: Ben Laurie <ben@links.org>
Subject: Re: OpenSSL end of life
References: <CAG5KPzyYzcu0qF9m2Fjgh7tTC=RrSMpxzHiDX5zD8_U_aB8k2A@mail.gmail.com>
In-Reply-To: <CAG5KPzyYzcu0qF9m2Fjgh7tTC=RrSMpxzHiDX5zD8_U_aB8k2A@mail.gmail.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Cc: freebsd-security <freebsd-security@freebsd.org>
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Jun 2014 12:14:49 -0000

On 06/11/14 11:32, Ben Laurie:
> Going forward we would only maintain two versions, so when 1.0.3 comes
> out, 1.0.1 would be EOL.

So, the date of EOL of 1.0.1 will not be known. Just some day the 1.0.3 
will be released and 1.0.1 become damned.

Also, I consider its not so friendly to projects using the OpenSSL.

Some of them wish to declare lifetime of particular version at the time 
of release. It will be possible no longer as embedded OpenSSL may become 
obsolete at any time.

What about ongoing FreeBSD 9.3 release ? According tradition, it's EOL 
should occur two years past release. But what we will do if embedded 
version of OpenSSL become unsupported just this winter ?

I need to make long term upgrade plans. Not happy with "as OpenSSL 
declared EOL, your version of FreeBSD has been EOLed as well. Upgrade 
NOW (or within two weeks - it's no substantial difference for me)"


Just my $0.02 ...

Dan