From owner-freebsd-security@FreeBSD.ORG Wed Jun 11 20:38:01 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9078B273 for ; Wed, 11 Jun 2014 20:38:01 +0000 (UTC) Received: from mail.rootservice.org (devgate.rootservice.org [144.76.199.8]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id F33CC2348 for ; Wed, 11 Jun 2014 20:37:59 +0000 (UTC) Received: from devnoip.rootservice.org (devnoip.rootservice.org [84.46.21.70]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.rootservice.org (Postfix) with ESMTPSA id 3gpfx51H6bzdG3g for ; Wed, 11 Jun 2014 22:31:20 +0200 (CEST) Date: Wed, 11 Jun 2014 22:31:18 +0200 From: Joe User Reply-To: joeuser@rootservice.org Organization: RootService MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: OpenSSL end of life References: <5398482C.7020406@obluda.cz> <53986023.7050203@obluda.cz> In-Reply-To: <53986023.7050203@obluda.cz> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Message-Id: <3gpfx36R85z62Yx@devnoip.rootservice.org> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Jun 2014 20:38:01 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 11.06.2014 15:56, Dan Lukes wrote: > On 06/11/14 15:00, Ben Laurie: >>> What about ongoing FreeBSD 9.3 release ? According tradition, >>> it's EOL should occur two years past release. But what we will >>> do if embedded version of OpenSSL become unsupported just this >>> winter ? >> >> I don't know - for a start, just because the OpenSSL team don't >> support it, that doesn't mean others can't backport fixes. > > Sorry, I missed this. Yes, it's solution as well. > > I'm familiar with it. I'm backporting newest FreeBSD's SA and EN > into FreeBSD 8.3-R despite it's declared EOL. > > But such approach has big "marketing" drawback. If there are > published announcements like OpenSSL version a.b.c is obsolete, > unsupported, unsafe and dangerous, then it's hard to offer a system > based on it, despite promises that YOURS particular incarnation of > openssl a.b.c is patched and safe. How many libs/binaries in contrib (and even in the rest of base) of 9.x are eol or unsupported or whatever by their upstreams? So why should openssl not be one them? Take the outdated/unsupported/eol/whatever versions of openssh or zfs shipping with 9.x, which could lead to unsecure logins or dataloss/corruption because they are "eol"... If you're a vendor using freebsd (or any software in general) then you have to continously (sp?) follow the respective upstream and regularly ship updates/upgrades to your products/customers. If this means that you've to upgrade from 9.x to 10.x then do it now and not when it's too late. Nothing bothers me as an user more, than vendors not doing their work to deliver updates and upgrades asap. Even embedded devices can be upgraded, so don't try this argument. And even if that's realy not possible, then that device has to be replaced completly. Sorry, but i heard/read this kind of discussion since two decades now and nothing changed. That "Never change a running system" thing has always been wrong and today it's the worstest case of all. So, don't care about "marketing drawbacks", just do your job and provide up-to-date products and updates/upgrades. Release/Update early and often, not (too) late and fewer/never... FreeBSD is a rolling release, so the "relaeses" are in reality only simple snapshots of the codebase, not more and not less. Some parts roll faster than light while others need decades per bit. OK enough off-topic. I'm fine with two years (IMHO one year would be even better, aren't we in the post-Snowden era where crypto will be reinvented fast?) - -- Kind Regards, Mit freundlichen GrĂ¼ssen, Markus Kohlmeyer Markus Kohlmeyer PGP: 0xEBDF5E55 / 2A22 1F71 AA70 1AD1 231B 0178 759F 407C EBDF 5E55 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQIcBAEBCgAGBQJTmLySAAoJEHWfQHzr315V+MkQAKAU2vRaild/cWTObBZIgTGX uL5gyYn/9ICUDkPLyIxR8tTAb2sVNWfveO5X6FIiZCXqlld4fZ6SdhIDj83EW14B 38Wqei72G9OkbvH9/UVRf66Puy1UmCHeDcLz+GquLBbGe6POLDzWIEOKDiVGzr6z j5WwjD6FEa3ncsjtNIHsEqgdB3sJ0I1kmBFs1hQR2OPQDUow9R9hvF1WFoUpovtI cYCOYvUnZgCCChxdlL9SbXhR3vAdsnoQTuVbj1uipI1WAloUjXXm/eVRq6ukaIPm UwlUqfgo1Do134KbVmCZW1wrRd0i3ME/ZwVKXXT3s71iGMTezoY3Zfhgs/8yiJQ4 ZXBiikSSvOnioRSHQXtUttdlZtREEdqxp3SKWm4yHnMA6EPOZfPN6zVja1PTClsP sfXVJVzcTg/VwQaU/Klvp6SrvukqHy/vQz52m/JucPNU52i8A897Fle7YbAZDu1H NkXDupIUWCj1whZ/IB8a8w7n2aXQ2Z0s52sbpR5aaBiqe4TEG0Voq6frfprWBFYC jBD6GlCi3+zrvJkryLJPyhAgStXfC5Mq1fzCGbhBYrH6eduFUyYC7UU3wvTbfsd3 EL4aVT9YH7/l1o6EzxGn2ZF+e/MfCWLmne1q3f+EwACaZGwl4SvtRufjJbqBqW+V brmwEX9JJn9C6FoNUHdo =JcrF -----END PGP SIGNATURE-----