From owner-freebsd-security@FreeBSD.ORG  Mon Jun  1 17:12:07 2015
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id C6F27479;
 Mon,  1 Jun 2015 17:12:07 +0000 (UTC)
 (envelope-from franco@lastsummer.de)
Received: from host64.kissl.de (host64.kissl.de [213.239.241.64])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client CN "*.shmhost.net",
 Issuer "COMODO RSA Domain Validation Secure Server CA" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 60E9A1E30;
 Mon,  1 Jun 2015 17:12:07 +0000 (UTC)
 (envelope-from franco@lastsummer.de)
Received: from localhost (localhost.localdomain [127.0.0.1])
 by host64.kissl.de (Postfix) with ESMTP id CD236B00EFE;
 Mon,  1 Jun 2015 19:03:59 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at host64.kissl.de
Received: from host64.kissl.de ([127.0.0.1])
 by localhost (host64.kissl.de [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id PNKSfZle20gI; Mon,  1 Jun 2015 19:03:59 +0200 (CEST)
Received: from francos-mbp.fritz.box (x4d059333.dyn.telefonica.de
 [77.5.147.51]) (Authenticated sender: web104p1)
 by host64.kissl.de (Postfix) with ESMTPSA id 7B554B00EFD;
 Mon,  1 Jun 2015 19:03:59 +0200 (CEST)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
Subject: Re: scope of private libraries
From: Franco Fichtner <franco@lastsummer.de>
In-Reply-To: <alpine.GSO.1.10.1506011238440.22210@multics.mit.edu>
Date: Mon, 1 Jun 2015 19:03:59 +0200
Cc: Kimmo Paasiala <kpaasial@gmail.com>,
 freebsd-security <freebsd-security@freebsd.org>,
 Don Lewis <truckman@freebsd.org>, spil.oss@gmail.com
Content-Transfer-Encoding: 7bit
Message-Id: <2C5684F6-5D01-42BE-A7BD-13DD88040128@lastsummer.de>
References: <201506010138.t511cp2P088983@gw.catspoiler.org>
 <alpine.GSO.1.10.1506011214350.22210@multics.mit.edu>
 <CA+7WWSc47cH_C+JCFNv22onuf-V=mFNQ+U96Gx_vUm-1YU2OdQ@mail.gmail.com>
 <alpine.GSO.1.10.1506011238440.22210@multics.mit.edu>
To: Benjamin Kaduk <kaduk@MIT.EDU>
X-Mailer: Apple Mail (2.2098)
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Jun 2015 17:12:07 -0000


> On 01 Jun 2015, at 18:42, Benjamin Kaduk <kaduk@MIT.EDU> wrote:
> 
> (was Re: avoiding base openssl when building ports)
> 
> On Mon, 1 Jun 2015, Kimmo Paasiala wrote:
> 
>> This leads to another question. Where is the line going to be drawn
>> which libraries in the base system should be private? There are
>> certainly some of them that have to be public like libc and the
>> support libraries like libusb. There is certainly no sense in making
>> the ports system use full set of its own libraries for everything
>> either.
> 
> [changing Subject: in the hopes of preserving Don's original thread...]
> 
> Again, I am not one of the people implementing private libraries, but one
> potential motivation for making something private is if the support
> lifecycle of an upstream vendor project does not match with the support
> lifecycle for FreeBSD stable releases.  If a library is private in
> FreeBSD, it is more likely to be POLA-compatible to replace it with a new
> upstream version mid-stable-branch than if it was a public library.
> 
> Another possible motivator for making something private is if we have a
> library in base only for a small subset of the features it provides, and
> we want to prevent external consumers from trying to rely on the broader
> set of features in that library.  This would reduce the support burden for
> the library in question, since bugs or vulnerabilities in the unused
> functionality would not be deemed critical.

I like this.  Why not start with OpenSSL in base and make the
OpenSSL port mandatory?  Still struggling with the LibreSSL
integration, which is quite obscured by the base library with
recent holes uncovered that also applied to OpenSSL from ports.

The fallback to OpenSSL from base creates a convenience scenario
that hurts (and already has hurt) security.

This makes security-related ports updates faster and reduces
the attack surface of the base system.  Everthing is moving to
pkgng anyway as far as the pkgng team is concerned.  ;)

As a side note, does pkgng really have to depend on base
OpenSSL; does it have to depend on a full-blown SSL library?


Cheers,
Franco