From owner-freebsd-security@FreeBSD.ORG Wed Jun 11 15:14:25 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1FF792FD for ; Wed, 11 Jun 2014 15:14:25 +0000 (UTC) Received: from smtp1.ms.mff.cuni.cz (smtp1.ms.mff.cuni.cz [IPv6:2001:718:1e03:801::4]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A403C2304 for ; Wed, 11 Jun 2014 15:14:24 +0000 (UTC) Received: from kgw.obluda.cz ([194.108.204.138]) by smtp1.ms.mff.cuni.cz (8.14.5/8.14.5) with ESMTP id s5BFEGeM077608 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=OK) for ; Wed, 11 Jun 2014 17:14:22 +0200 (CEST) (envelope-from dan@obluda.cz) Message-ID: <53987248.5050103@obluda.cz> Date: Wed, 11 Jun 2014 17:14:16 +0200 From: Dan Lukes User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26 MIME-Version: 1.0 To: freebsd-security Subject: Re: OpenSSL end of life References: <5398482C.7020406@obluda.cz> <539859BC.2050303@obluda.cz> <539860DE.9080609@FreeBSD.org> In-Reply-To: <539860DE.9080609@FreeBSD.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Jun 2014 15:14:25 -0000 On 06/11/14 15:59, Jonathan Anderson: > Once we officially move to the 5-year branch lifetime 5-year ? In such case, the content of /usr/src/contrib needs to be reevaluated very carefully. The OpenSSL is not only external library here ... > It seems to me that the only solution is to remove the ABI promise on OpenSSL: move the base system's libcrypt.so into /usr/lib/private. You are proposing to change meaning of words "patch" and "upgrade". Sure, if we will call some upgrades as patches, then version number needs not to be bumped, so we can reach the 5-year lifetime magically. But it's just magic with the words. I prefer different approach. If we can't maintain 5-year lifetime, then we can't declare it just by tricks. OK, I have no problem with such kind of black magic. As long as I know the meaning of the words, I can understand the sentences. I will translate "5-year lifetime" label to something I will understand. Note - English is not my native language. The text above is not offense in any way. It explained how I understood the solution your mentioned. Despite I don't prefer this kind of solution, I can live with it if necessary. I prefer other solution mentioned in the thread. We need to support particular version of OpenSSL by self during lifetime of particular release. Despite of such self-support, I would like to recommend that OpenSSL releases have a lifetime declared at it's release time. It may be extended (by known amount of time) before expired if there will be no never release ready. Dan