Date: Sat, 9 Jul 2016 00:33:55 -0700 From: Xin Li <delphij@delphij.net> To: Grzegorz Junka <list1@gjunka.com>, freebsd-ports@freebsd.org Cc: d@delphij.net Subject: Re: base components should always be default (Re: change in default openssl coming) Message-ID: <541d8b69-b177-3ddf-8a2d-560e778001ca@delphij.net> In-Reply-To: <b4c87f59-fd30-19fd-5251-65c47720a0dc@gjunka.com> References: <D13290234BD20864405FC0B2@atuin.in.mat.cc> <f146f327-67f8-2ecf-21a9-b348dbe614c2@aldan.algebra.com> <b4c87f59-fd30-19fd-5251-65c47720a0dc@gjunka.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --S29FJlD6uhw2pGSF9q6Tf9OXaHVBgfSkj Content-Type: multipart/mixed; boundary="w3fbImWxQ0WA5r5riO36idAfmQKxmmMh3" From: Xin Li <delphij@delphij.net> To: Grzegorz Junka <list1@gjunka.com>, freebsd-ports@freebsd.org Cc: d@delphij.net Message-ID: <541d8b69-b177-3ddf-8a2d-560e778001ca@delphij.net> Subject: Re: base components should always be default (Re: change in default openssl coming) References: <D13290234BD20864405FC0B2@atuin.in.mat.cc> <f146f327-67f8-2ecf-21a9-b348dbe614c2@aldan.algebra.com> <b4c87f59-fd30-19fd-5251-65c47720a0dc@gjunka.com> In-Reply-To: <b4c87f59-fd30-19fd-5251-65c47720a0dc@gjunka.com> --w3fbImWxQ0WA5r5riO36idAfmQKxmmMh3 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 7/8/16 12:20, Grzegorz Junka wrote: >=20 > The only reason I heard why base isn't updated with the proper package > from ports is because of security implications. Older versions are more= > security-tested and therefore safer. If there is a vulnerability in the= > base it's much more hassle to update the base than ports. Not necessarily safer -- for instance on FreeBSD 9.x the base system OpenSSL is EoL'ed by upstream, and therefore the security fixes are backported by secteam@ in a case-by-case manner. Generally speaking, newer code is safer and supports newer standards, and we recommend ALL users who are still on FreeBSD 9.x to use port version of OpenSSL. The only possible problem with defaulting to port OpenSSL that I can think of is some DLL hell style issue. If a base system library links against OpenSSL, then gets linked into port binary which links to port OpenSSL, we may see problems. For instance, some utilities depends on libarchive, libarchive depends on libcrypto (OpenSSL). If it loads a OpenLDAP client (i.e. through a NSS module), that depends on port version of libcrypto, there _may_ be problems. Cheers, --w3fbImWxQ0WA5r5riO36idAfmQKxmmMh3-- --S29FJlD6uhw2pGSF9q6Tf9OXaHVBgfSkj Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJXgKjoAAoJEJW2GBstM+nsTcsP/1MuSySsGP3KexiVIETTapLb 0ND/HAxsTAf8GdDqi4lY1QT0TjQZIJ1ZHCNdlp7uqwv9xdYfxZsdFCIhPFSbIp2o 29z2CZRs85/otBCZftlpdJmLoI7H5IEfOPNEJw1P36xvtc1nTFQwTJ15XdRW35hO WwSRcHbjZhv7QjwCDXnX8AqpIMZMJpm/Foq6TDrJaHxEQOz1G7R58qgqXns2fhJl LlrFG/8pqOmmNx5dXy5Bz5EPYWHcw15aB1rCE+y98hPrIRxPUHMBh0MbvaZWsLAh BWa7s1bV3XWb+Y22CYcMclc/NPESIYrPisgdnpV8hvoHfUgwJOKWHnYAi7I+OvRF VX7b3pENeHkUEtWU1PXpiLmXr4y8crJuiX0dpbWb4sDjT0wNA/Eh528HURt7VP/U C5sbfUkloZ1Vuz7GMJHrZkxYSH/760Uvg3MIUUDQC4X0KE18Ovidsvqda8hlm/0a Jg5p3ZqGNhXIDrmb4e6Yqc5/Zc6z0dHpmQsXAFrRcENEq/NOOwy4y5FE5CH3oLv6 6vXra+D3PZZ05b8YjGpACYEn97elzqEcDRRU2trmzIc7FzKwFn5uWMZ5511vUdNS HyRVEivCWJabyWH+kV5/k85c/7J0guFGNF8Br6REywho8o8EXDG+2MbOSMME1HAS tYaX8tBKnwqRclDlvTpg =+mIF -----END PGP SIGNATURE----- --S29FJlD6uhw2pGSF9q6Tf9OXaHVBgfSkj--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?541d8b69-b177-3ddf-8a2d-560e778001ca>