Date: Mon, 22 Mar 2004 12:33:07 -0600 From: Nikolas Britton <freebsd@nbritton.org> To: Ash Gokhale <ash.gokhale@noaa.gov>, freebsd-newbies@freebsd.org Subject: Re: FreeBSD-newbies is a community. Message-ID: <405F3163.5080108@nbritton.org> In-Reply-To: <8FABFD6B-7C1E-11D8-8E5E-00039383C51E@noaa.gov> References: <002101c40ea7$8d9ab470$6c01a8c0@sal> <8FABFD6B-7C1E-11D8-8E5E-00039383C51E@noaa.gov>
next in thread | previous in thread | raw e-mail | index | archive | help
Ash Gokhale wrote: > The crypto (libcrypto) framework is a set of algorithms , code , > headers and libraries that allow your machine to encrypt and decrypt > traffic bound for where someone might want to read, alter or forge it, > and you don't want them to. There are places where it is not legal use > or export some of this technology; find out if you live in one. > > OpenSSLis a part of that framework. To think you run a secure > machine, you must convince yourself that It's secure on all levels. > All the applications on your machine look to libcrypto to provide > security services to provide. It's the engine for packages like SSH > and Apache/SSL. Above the hardware and the kernel, it's the basis for > all the crypto on the machine. Never versions of applications require > current versions of libcrypto to resist attacks based on known bugs. > > Ports is easy. By building out of ports you are leveraging other > peoples work, but you might not say with high confidence that the > ports system builds libcrypto to your level of paranoia. If you can > conceive of some malicious person slipping something bad into the > repository (it has happened to other OS's), you may want to build it > yourself. I donno that seems kinda flawed to me, can you guarantee with high confidence that a malicious person didn't slip something into the source code at the source? > Building it yourself is the other option. Before there was a ports > tree, you had to build it all by hand, in doing so you learn much > about your machine and the thousands of ways to break it. OpenSSL.org > makes the signed source code available; which you can be reasonably > sure has not been tampered. When you get good at the process you can > commit your own port to the ports tree. Besides the educational factor, you can never be 100% certin that what you built isn't allready compromised unless you do everything yourself, from scratch. This essentially mutes the whole point of not using the port, your time would be better spent auditing the ports patch code.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?405F3163.5080108>