From owner-freebsd-ports@freebsd.org  Sat Jul  9 07:34:06 2016
Return-Path: <owner-freebsd-ports@freebsd.org>
Delivered-To: freebsd-ports@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8393BB83604
 for <freebsd-ports@mailman.ysv.freebsd.org>;
 Sat,  9 Jul 2016 07:34:06 +0000 (UTC)
 (envelope-from delphij@delphij.net)
Received: from anubis.delphij.net (anubis.delphij.net
 [IPv6:2001:470:1:117::25])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "anubis.delphij.net",
 Issuer "StartCom Class 1 DV Server CA" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 65CB51162
 for <freebsd-ports@freebsd.org>; Sat,  9 Jul 2016 07:34:06 +0000 (UTC)
 (envelope-from delphij@delphij.net)
Received: from Xins-MBP.home.us.delphij.net (unknown
 [IPv6:2601:646:8880:b84b:e96a:2af7:21c8:7ffa])
 (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by anubis.delphij.net (Postfix) with ESMTPSA id 51F4A1EA76;
 Sat,  9 Jul 2016 00:34:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=delphij.net;
 s=anubis; t=1468049640; x=1468064040;
 bh=AZEjy1oqC/+cXQvCmNsLqrFzGr0hLh/oIkJc5Ormqn8=;
 h=Subject:To:References:Cc:From:Date:In-Reply-To;
 b=Enyo3Nym0PXOVbJKr/zv5untwtBu/Oyy+H9XZfZKoyueV011jOEKSzneUwhUHbbkC
 Z/Vk2L3rkheF1+VmOx41R16Ljht/FdQo6yGk7FfkWSsuZSs4WMFTiKrc82a/D3CWbR
 0Z3fCntJ3h57js8JjcKtIP1pAngDnLA2RwKCPJRA=
Subject: Re: base components should always be default (Re: change in default
 openssl coming)
To: Grzegorz Junka <list1@gjunka.com>, freebsd-ports@freebsd.org
References: <D13290234BD20864405FC0B2@atuin.in.mat.cc>
 <f146f327-67f8-2ecf-21a9-b348dbe614c2@aldan.algebra.com>
 <b4c87f59-fd30-19fd-5251-65c47720a0dc@gjunka.com>
Cc: d@delphij.net
From: Xin Li <delphij@delphij.net>
Message-ID: <541d8b69-b177-3ddf-8a2d-560e778001ca@delphij.net>
Date: Sat, 9 Jul 2016 00:33:55 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0)
 Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <b4c87f59-fd30-19fd-5251-65c47720a0dc@gjunka.com>
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature";
 boundary="S29FJlD6uhw2pGSF9q6Tf9OXaHVBgfSkj"
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports/>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Jul 2016 07:34:06 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--S29FJlD6uhw2pGSF9q6Tf9OXaHVBgfSkj
Content-Type: multipart/mixed; boundary="w3fbImWxQ0WA5r5riO36idAfmQKxmmMh3"
From: Xin Li <delphij@delphij.net>
To: Grzegorz Junka <list1@gjunka.com>, freebsd-ports@freebsd.org
Cc: d@delphij.net
Message-ID: <541d8b69-b177-3ddf-8a2d-560e778001ca@delphij.net>
Subject: Re: base components should always be default (Re: change in default
 openssl coming)
References: <D13290234BD20864405FC0B2@atuin.in.mat.cc>
 <f146f327-67f8-2ecf-21a9-b348dbe614c2@aldan.algebra.com>
 <b4c87f59-fd30-19fd-5251-65c47720a0dc@gjunka.com>
In-Reply-To: <b4c87f59-fd30-19fd-5251-65c47720a0dc@gjunka.com>

--w3fbImWxQ0WA5r5riO36idAfmQKxmmMh3
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable



On 7/8/16 12:20, Grzegorz Junka wrote:
>=20
> The only reason I heard why base isn't updated with the proper package
> from ports is because of security implications. Older versions are more=

> security-tested and therefore safer. If there is a vulnerability in the=

> base it's much more hassle to update the base than ports.

Not necessarily safer -- for instance on FreeBSD 9.x the base system
OpenSSL is EoL'ed by upstream, and therefore the security fixes are
backported by secteam@ in a case-by-case manner.  Generally speaking,
newer code is safer and supports newer standards, and we recommend ALL
users who are still on FreeBSD 9.x to use port version of OpenSSL.

The only possible problem with defaulting to port OpenSSL that I can
think of is some DLL hell style issue.  If a base system library links
against OpenSSL, then gets linked into port binary which links to port
OpenSSL, we may see problems.  For instance, some utilities depends on
libarchive, libarchive depends on libcrypto (OpenSSL).  If it loads a
OpenLDAP client (i.e. through a NSS module), that depends on port
version of libcrypto, there _may_ be problems.

Cheers,


--w3fbImWxQ0WA5r5riO36idAfmQKxmmMh3--

--S29FJlD6uhw2pGSF9q6Tf9OXaHVBgfSkj
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXgKjoAAoJEJW2GBstM+nsTcsP/1MuSySsGP3KexiVIETTapLb
0ND/HAxsTAf8GdDqi4lY1QT0TjQZIJ1ZHCNdlp7uqwv9xdYfxZsdFCIhPFSbIp2o
29z2CZRs85/otBCZftlpdJmLoI7H5IEfOPNEJw1P36xvtc1nTFQwTJ15XdRW35hO
WwSRcHbjZhv7QjwCDXnX8AqpIMZMJpm/Foq6TDrJaHxEQOz1G7R58qgqXns2fhJl
LlrFG/8pqOmmNx5dXy5Bz5EPYWHcw15aB1rCE+y98hPrIRxPUHMBh0MbvaZWsLAh
BWa7s1bV3XWb+Y22CYcMclc/NPESIYrPisgdnpV8hvoHfUgwJOKWHnYAi7I+OvRF
VX7b3pENeHkUEtWU1PXpiLmXr4y8crJuiX0dpbWb4sDjT0wNA/Eh528HURt7VP/U
C5sbfUkloZ1Vuz7GMJHrZkxYSH/760Uvg3MIUUDQC4X0KE18Ovidsvqda8hlm/0a
Jg5p3ZqGNhXIDrmb4e6Yqc5/Zc6z0dHpmQsXAFrRcENEq/NOOwy4y5FE5CH3oLv6
6vXra+D3PZZ05b8YjGpACYEn97elzqEcDRRU2trmzIc7FzKwFn5uWMZ5511vUdNS
HyRVEivCWJabyWH+kV5/k85c/7J0guFGNF8Br6REywho8o8EXDG+2MbOSMME1HAS
tYaX8tBKnwqRclDlvTpg
=+mIF
-----END PGP SIGNATURE-----

--S29FJlD6uhw2pGSF9q6Tf9OXaHVBgfSkj--