Date: Mon, 24 Apr 2023 13:06:14 -0400 From: Ed Maste <emaste@freebsd.org> To: Konstantin Belousov <kostikbel@gmail.com> Cc: freebsd-arch <freebsd-arch@freebsd.org> Subject: Re: OpenSSL in the FreeBSD base system / FreeBSD 14 Message-ID: <CAPyFy2DDpqfBuzdosGgLwnOENmxog-x5NM0YpYAC9Tthi4DbiA@mail.gmail.com> In-Reply-To: <ZEBmahjXXlvtzP-L@kib.kiev.ua> References: <CAPyFy2Afao5tnujFtwiF6avdkqAXRGDOTSq-JSCkHvvbfUvhaA@mail.gmail.com> <ZEBmahjXXlvtzP-L@kib.kiev.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 19 Apr 2023 at 18:08, Konstantin Belousov <kostikbel@gmail.com> wrote: > > On Wed, Apr 19, 2023 at 12:50:59PM -0400, Ed Maste wrote: > > A related issue is base system libraries that depend on OpenSSL would > > also need to be made private. This includes gssapi, heimdal, and > > libfetch. > Does ssh and pam in the base depend on the base openssl? > If yes, then it still leaks into the applications despite being private. Yes, I see the following libraries which bring in libssl: /usr/lib/libprivateldns.so.5 /usr/lib/libprivatessh.so.5 /usr/lib/libprivateunbound.so.5 /usr/lib/pam_ssh.so.6 /usr/lib/libfetch.so.6 and libcrypto (privatelibs excluded): /lib/libzfsbootenv.so.1 /lib/libbe.so.1 /lib/libzfs.so.4 /usr/lib/pam_zfs_key.so.6 /usr/lib/libkafs5.so.11 /usr/lib/libgssapi_ntlm.so.10 /usr/lib/libarchive.so.7 /usr/lib/libkdc.so.11 /usr/lib/libradius.so.4 /usr/lib/libgssapi_krb5.so.10 /usr/lib/libkrb5.so.11 /usr/lib/libhx509.so.11 /usr/lib/pam_radius.so.6 /usr/lib/libssl.so.111 /usr/lib/libkadm5srv.so.11 /usr/lib/libkadm5clnt.so.11 /usr/lib/libhdb.so.11 /usr/lib/pam_ssh.so.6 /usr/lib/libheimntlm.so.11 /usr/lib/libfetch.so.6 /usr/lib/libmp.so.7 /usr/lib/pam_krb5.so.6 /usr/lib/libbsnmp.so.6 /usr/lib/pam_ksu.so.6 Baptiste reported elsewhere that libfetch's use in ports is very limited, so it could easily be made into a private lib.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPyFy2DDpqfBuzdosGgLwnOENmxog-x5NM0YpYAC9Tthi4DbiA>