From owner-freebsd-security@FreeBSD.ORG Wed Jun 11 22:43:19 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B6BA8386; Wed, 11 Jun 2014 22:43:19 +0000 (UTC) Received: from smtp1.ms.mff.cuni.cz (smtp1.ms.mff.cuni.cz [IPv6:2001:718:1e03:801::4]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2E0F42FC4; Wed, 11 Jun 2014 22:43:18 +0000 (UTC) Received: from kgw.obluda.cz ([194.108.204.138]) by smtp1.ms.mff.cuni.cz (8.14.5/8.14.5) with ESMTP id s5BMh2eV042495 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=OK); Thu, 12 Jun 2014 00:43:14 +0200 (CEST) (envelope-from dan@obluda.cz) Message-ID: <5398DB76.3040707@obluda.cz> Date: Thu, 12 Jun 2014 00:43:02 +0200 From: Dan Lukes Reply-To: freebsd-security User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26 MIME-Version: 1.0 To: Jonathan Anderson Subject: Re: OpenSSL end of life References: <5398482C.7020406@obluda.cz> <539859BC.2050303@obluda.cz> <539860DE.9080609@FreeBSD.org> <53987248.5050103@obluda.cz> <539888B0.9090108@FreeBSD.org> In-Reply-To: <539888B0.9090108@FreeBSD.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Jun 2014 22:43:19 -0000 On 06/11/14 18:49, Jonathan Anderson: > I propose that we be a bit more careful about the libraries that we're > willing to commit to an ABI on, restricting ourselves to things that we > are able to maintain internally as a project or where upstream changes > don't break the ABI (e.g. an executable where the interface is the > command line, so all we have to do is preserve existing arguments). So your proposal is to make something like wrapper library around OpenSSL. Such wrapper library will offer stable ABI to the rest of system and will hide possible ABI changes of underlying native OpenSSL. If the underlying OpenSSL will be replaced by other one, the wrapper library will be modified accordingly, to maintain previous ABI. Right ? It sound plausible to me. I'm not sure it will take less resources that self-support of old OpenSSL version, but I can't estimate it right now. >> We need to support particular version of OpenSSL by self during lifetime of particular release. > > Sure, we could do point patches of old OpenSSL versions as > vulnerabilities are discovered, but who's to say that we'll hear about > them if the upstream vendor has stopped doing security advisories? If > everybody else has moved on from 0.9.8, who in the FreeBSD project is > willing to take ownership of such a large and complex code base? OpenSSL is considered part of base system. Either we can support the system for it's lifetime or not. If we have resources to maintain 5-years lifetime, then OK, I will welcome 5-year lifetime. If we have no such resources, then declared lifetime should to be shortened. Both solutions are OK for me. I have nothing against current 1y/2y system. > On 06/11/14 22:31, Joe User: >> Sorry, but i heard/read this kind of discussion since two decades now It can't be overlooked. You are claiming the arguments that are not mine, then you are responding to them. I'm sure you can continue without me even in the future ;-) Dan