From owner-freebsd-security@FreeBSD.ORG Wed Jun 11 13:00:53 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 392D67A2 for ; Wed, 11 Jun 2014 13:00:53 +0000 (UTC) Received: from mail-qc0-x229.google.com (mail-qc0-x229.google.com [IPv6:2607:f8b0:400d:c01::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id EF5C22464 for ; Wed, 11 Jun 2014 13:00:52 +0000 (UTC) Received: by mail-qc0-f169.google.com with SMTP id c9so4448476qcz.28 for ; Wed, 11 Jun 2014 06:00:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=Aj3AKs8QbrZsnY4wCNF/tT7vGQ9uqRK/zQ710eNvo1w=; b=zoLEaBjznciHyCpeKfpbJuy/5cSjqKrLRUsfsWgJQZsEPRZlIQIzjkEtzEDPLjt4WA CZ/72sK9UJ9fMyqyJJfqTh92j2fAUQnXbCVlKOuP1BIOcUmX32yfH14eU8G8Vh0F7mRA JslbeUJ0j45SQOgJCNJ8InXWHWoc2QYyYB2glNfWkwuj4GUicYUQ3kQtCHAsSN3zvTYR N6gmfQlV99F16vrs4Z+sN38UxrLr9twfSYvm3ruyR4jGWiBcFN9rqR1ha1Yb28fHGhKI T3GcxSzAGQ96j2ujcHcubNoBUUcyNgenGKhgFSiKICez22a+5QroVq26EtooqSfsHfHX dnDw== MIME-Version: 1.0 X-Received: by 10.224.0.70 with SMTP id 6mr22893308qaa.100.1402491651945; Wed, 11 Jun 2014 06:00:51 -0700 (PDT) Sender: benlaurie@gmail.com Received: by 10.96.222.168 with HTTP; Wed, 11 Jun 2014 06:00:51 -0700 (PDT) In-Reply-To: <5398482C.7020406@obluda.cz> References: <5398482C.7020406@obluda.cz> Date: Wed, 11 Jun 2014 14:00:51 +0100 X-Google-Sender-Auth: 3OaNVM-pr7fJNGDqUXAA-zRL34g Message-ID: Subject: Re: OpenSSL end of life From: Ben Laurie To: Dan Lukes Content-Type: text/plain; charset=UTF-8 X-Mailman-Approved-At: Wed, 11 Jun 2014 13:43:20 +0000 Cc: freebsd-security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Jun 2014 13:00:53 -0000 On 11 June 2014 13:14, Dan Lukes wrote: > On 06/11/14 11:32, Ben Laurie: > >> Going forward we would only maintain two versions, so when 1.0.3 comes >> out, 1.0.1 would be EOL. > > > So, the date of EOL of 1.0.1 will not be known. Just some day the 1.0.3 will > be released and 1.0.1 become damned. It won't be a huge surprise, because we always have a series of betas. > Also, I consider its not so friendly to projects using the OpenSSL. > > Some of them wish to declare lifetime of particular version at the time of > release. It will be possible no longer as embedded OpenSSL may become > obsolete at any time. This is already true, because of bugs. And, in practice, no version of OpenSSL (or anything else, pretty much) has a lifetime such that you can safely make a non-upgradeable product from it. In other words, the idea that you can pre-declare a lifetime is fantasy. > What about ongoing FreeBSD 9.3 release ? According tradition, it's EOL > should occur two years past release. But what we will do if embedded version > of OpenSSL become unsupported just this winter ? I don't know - for a start, just because the OpenSSL team don't support it, that doesn't mean others can't backport fixes. Alternatively, can 9.3 not upgrade to a newer OpenSSL? > I need to make long term upgrade plans. Not happy with "as OpenSSL declared > EOL, your version of FreeBSD has been EOLed as well. Upgrade NOW (or within > two weeks - it's no substantial difference for me)" One modification I'd be prepared to contemplate is that 1.0.1 (for example) is supported for some known period of time, even if it should be EOL according to the versioning scheme. The question is: how long? Sounds like you'd want 2 years. According to that scheme, 1.0.1 was eligible for EOL in March 2014. > > > Just my $0.02 ... > > Dan >