Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 9 Jul 2016 00:33:55 -0700
From:      Xin Li <delphij@delphij.net>
To:        Grzegorz Junka <list1@gjunka.com>, freebsd-ports@freebsd.org
Cc:        d@delphij.net
Subject:   Re: base components should always be default (Re: change in default openssl coming)
Message-ID:  <541d8b69-b177-3ddf-8a2d-560e778001ca@delphij.net>
In-Reply-To: <b4c87f59-fd30-19fd-5251-65c47720a0dc@gjunka.com>
References:  <D13290234BD20864405FC0B2@atuin.in.mat.cc> <f146f327-67f8-2ecf-21a9-b348dbe614c2@aldan.algebra.com> <b4c87f59-fd30-19fd-5251-65c47720a0dc@gjunka.com>

next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--S29FJlD6uhw2pGSF9q6Tf9OXaHVBgfSkj
Content-Type: multipart/mixed; boundary="w3fbImWxQ0WA5r5riO36idAfmQKxmmMh3"
From: Xin Li <delphij@delphij.net>
To: Grzegorz Junka <list1@gjunka.com>, freebsd-ports@freebsd.org
Cc: d@delphij.net
Message-ID: <541d8b69-b177-3ddf-8a2d-560e778001ca@delphij.net>
Subject: Re: base components should always be default (Re: change in default
 openssl coming)
References: <D13290234BD20864405FC0B2@atuin.in.mat.cc>
 <f146f327-67f8-2ecf-21a9-b348dbe614c2@aldan.algebra.com>
 <b4c87f59-fd30-19fd-5251-65c47720a0dc@gjunka.com>
In-Reply-To: <b4c87f59-fd30-19fd-5251-65c47720a0dc@gjunka.com>

--w3fbImWxQ0WA5r5riO36idAfmQKxmmMh3
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable



On 7/8/16 12:20, Grzegorz Junka wrote:
>=20
> The only reason I heard why base isn't updated with the proper package
> from ports is because of security implications. Older versions are more=

> security-tested and therefore safer. If there is a vulnerability in the=

> base it's much more hassle to update the base than ports.

Not necessarily safer -- for instance on FreeBSD 9.x the base system
OpenSSL is EoL'ed by upstream, and therefore the security fixes are
backported by secteam@ in a case-by-case manner.  Generally speaking,
newer code is safer and supports newer standards, and we recommend ALL
users who are still on FreeBSD 9.x to use port version of OpenSSL.

The only possible problem with defaulting to port OpenSSL that I can
think of is some DLL hell style issue.  If a base system library links
against OpenSSL, then gets linked into port binary which links to port
OpenSSL, we may see problems.  For instance, some utilities depends on
libarchive, libarchive depends on libcrypto (OpenSSL).  If it loads a
OpenLDAP client (i.e. through a NSS module), that depends on port
version of libcrypto, there _may_ be problems.

Cheers,


--w3fbImWxQ0WA5r5riO36idAfmQKxmmMh3--

--S29FJlD6uhw2pGSF9q6Tf9OXaHVBgfSkj
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXgKjoAAoJEJW2GBstM+nsTcsP/1MuSySsGP3KexiVIETTapLb
0ND/HAxsTAf8GdDqi4lY1QT0TjQZIJ1ZHCNdlp7uqwv9xdYfxZsdFCIhPFSbIp2o
29z2CZRs85/otBCZftlpdJmLoI7H5IEfOPNEJw1P36xvtc1nTFQwTJ15XdRW35hO
WwSRcHbjZhv7QjwCDXnX8AqpIMZMJpm/Foq6TDrJaHxEQOz1G7R58qgqXns2fhJl
LlrFG/8pqOmmNx5dXy5Bz5EPYWHcw15aB1rCE+y98hPrIRxPUHMBh0MbvaZWsLAh
BWa7s1bV3XWb+Y22CYcMclc/NPESIYrPisgdnpV8hvoHfUgwJOKWHnYAi7I+OvRF
VX7b3pENeHkUEtWU1PXpiLmXr4y8crJuiX0dpbWb4sDjT0wNA/Eh528HURt7VP/U
C5sbfUkloZ1Vuz7GMJHrZkxYSH/760Uvg3MIUUDQC4X0KE18Ovidsvqda8hlm/0a
Jg5p3ZqGNhXIDrmb4e6Yqc5/Zc6z0dHpmQsXAFrRcENEq/NOOwy4y5FE5CH3oLv6
6vXra+D3PZZ05b8YjGpACYEn97elzqEcDRRU2trmzIc7FzKwFn5uWMZ5511vUdNS
HyRVEivCWJabyWH+kV5/k85c/7J0guFGNF8Br6REywho8o8EXDG+2MbOSMME1HAS
tYaX8tBKnwqRclDlvTpg
=+mIF
-----END PGP SIGNATURE-----

--S29FJlD6uhw2pGSF9q6Tf9OXaHVBgfSkj--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?541d8b69-b177-3ddf-8a2d-560e778001ca>