From nobody Mon Apr 24 17:06:14 2023 X-Original-To: freebsd-arch@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Q4s3m4Rsjz475gx for ; Mon, 24 Apr 2023 17:06:28 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: from mail-lj1-f175.google.com (mail-lj1-f175.google.com [209.85.208.175]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Q4s3l66j2z4Gcm for ; Mon, 24 Apr 2023 17:06:27 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=none; spf=pass (mx1.freebsd.org: domain of carpeddiem@gmail.com designates 209.85.208.175 as permitted sender) smtp.mailfrom=carpeddiem@gmail.com; dmarc=none Received: by mail-lj1-f175.google.com with SMTP id 38308e7fff4ca-2a7ac89b82dso44661481fa.1 for ; Mon, 24 Apr 2023 10:06:27 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1682355986; x=1684947986; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=cL6+X4+9gwolbvgl91hBw1Xso3YAlcaHwxpjOQlVLhE=; b=ae+t4VkZKaBRrO0wOG3x4yit2NbnWZTORZqXuDfgs2o+N6bhLNo0TBvPNRa1Pw5vER uH9m+EOpgcS6PNHEdw6MgSTJQ0CyadEyl61Nv8DUavlfTiDJ/vuBdeBlBHdF/jgeNgVB rcDV4/xS/2WABpJPVTYz/X6MxPK4N/XKgk+TmWLvNWunSjRJAFKNRYTbHwjkc34aIbLK HDJFjrGiHI9pAbKaHBG4pYq68JwDpthcpxWkXtHC+G9IAOzYhcm3CbBoiV6zri/d17Km HvJ7V6S4tZicMdYxyXE8Z1Emoi0pRzMtH92k4XygeLYOwzFx0iCQEUsrdgkV/c2F08dC xFOA== X-Gm-Message-State: AAQBX9feCgS50MEga1SNQH0PrtUYkVW8tOlCvxwLSBVljAuY/66MAnEA vARC5uAMfp0/hOLfyipUAnfe4kH36YpCTTWrEh+syrAvjEs= X-Google-Smtp-Source: AKy350Y3l09KVKtVuPyWbcHOgXz7OZl6tZu3q/VDfDPdCDLx8dl+M+g9Tauj+A20GOVskho2K7i78Fr4p35Ox2Cf6Rg= X-Received: by 2002:a2e:2e0e:0:b0:2a8:c32d:1238 with SMTP id u14-20020a2e2e0e000000b002a8c32d1238mr2874677lju.15.1682355985498; Mon, 24 Apr 2023 10:06:25 -0700 (PDT) List-Id: Discussion related to FreeBSD architecture List-Archive: https://lists.freebsd.org/archives/freebsd-arch List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-arch@freebsd.org MIME-Version: 1.0 References: In-Reply-To: From: Ed Maste Date: Mon, 24 Apr 2023 13:06:14 -0400 Message-ID: Subject: Re: OpenSSL in the FreeBSD base system / FreeBSD 14 To: Konstantin Belousov Cc: freebsd-arch Content-Type: text/plain; charset="UTF-8" X-Spamd-Result: default: False [-2.98 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-0.999]; NEURAL_HAM_SHORT(-1.00)[-0.999]; NEURAL_HAM_LONG(-0.98)[-0.981]; FORGED_SENDER(0.30)[emaste@freebsd.org,carpeddiem@gmail.com]; R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17:c]; MIME_GOOD(-0.10)[text/plain]; ARC_NA(0.00)[]; FREEMAIL_TO(0.00)[gmail.com]; RWL_MAILSPIKE_POSSIBLE(0.00)[209.85.208.175:from]; FREEMAIL_ENVFROM(0.00)[gmail.com]; MLMMJ_DEST(0.00)[freebsd-arch@freebsd.org]; R_DKIM_NA(0.00)[]; FROM_NEQ_ENVFROM(0.00)[emaste@freebsd.org,carpeddiem@gmail.com]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; RCVD_TLS_LAST(0.00)[]; FROM_HAS_DN(0.00)[]; FREEFALL_USER(0.00)[carpeddiem]; RCVD_IN_DNSWL_NONE(0.00)[209.85.208.175:from]; PREVIOUSLY_DELIVERED(0.00)[freebsd-arch@freebsd.org]; MIME_TRACE(0.00)[0:+]; DMARC_NA(0.00)[freebsd.org]; TO_DN_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-Rspamd-Queue-Id: 4Q4s3l66j2z4Gcm X-Spamd-Bar: -- X-ThisMailContainsUnwantedMimeParts: N On Wed, 19 Apr 2023 at 18:08, Konstantin Belousov wrote: > > On Wed, Apr 19, 2023 at 12:50:59PM -0400, Ed Maste wrote: > > A related issue is base system libraries that depend on OpenSSL would > > also need to be made private. This includes gssapi, heimdal, and > > libfetch. > Does ssh and pam in the base depend on the base openssl? > If yes, then it still leaks into the applications despite being private. Yes, I see the following libraries which bring in libssl: /usr/lib/libprivateldns.so.5 /usr/lib/libprivatessh.so.5 /usr/lib/libprivateunbound.so.5 /usr/lib/pam_ssh.so.6 /usr/lib/libfetch.so.6 and libcrypto (privatelibs excluded): /lib/libzfsbootenv.so.1 /lib/libbe.so.1 /lib/libzfs.so.4 /usr/lib/pam_zfs_key.so.6 /usr/lib/libkafs5.so.11 /usr/lib/libgssapi_ntlm.so.10 /usr/lib/libarchive.so.7 /usr/lib/libkdc.so.11 /usr/lib/libradius.so.4 /usr/lib/libgssapi_krb5.so.10 /usr/lib/libkrb5.so.11 /usr/lib/libhx509.so.11 /usr/lib/pam_radius.so.6 /usr/lib/libssl.so.111 /usr/lib/libkadm5srv.so.11 /usr/lib/libkadm5clnt.so.11 /usr/lib/libhdb.so.11 /usr/lib/pam_ssh.so.6 /usr/lib/libheimntlm.so.11 /usr/lib/libfetch.so.6 /usr/lib/libmp.so.7 /usr/lib/pam_krb5.so.6 /usr/lib/libbsnmp.so.6 /usr/lib/pam_ksu.so.6 Baptiste reported elsewhere that libfetch's use in ports is very limited, so it could easily be made into a private lib.