From owner-freebsd-security@FreeBSD.ORG Tue Jun 2 15:16:58 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 739C2972 for ; Tue, 2 Jun 2015 15:16:58 +0000 (UTC) (envelope-from franco@lastsummer.de) Received: from host64.kissl.de (host64.kissl.de [213.239.241.64]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.shmhost.net", Issuer "COMODO RSA Domain Validation Secure Server CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 2D38E128D for ; Tue, 2 Jun 2015 15:16:57 +0000 (UTC) (envelope-from franco@lastsummer.de) Received: from localhost (localhost.localdomain [127.0.0.1]) by host64.kissl.de (Postfix) with ESMTP id 5CA2BB00F02; Tue, 2 Jun 2015 17:16:56 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at host64.kissl.de Received: from host64.kissl.de ([127.0.0.1]) by localhost (host64.kissl.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dN76U5PVn+xT; Tue, 2 Jun 2015 17:16:56 +0200 (CEST) Received: from francos-mbp.fritz.box (x4d01c52f.dyn.telefonica.de [77.1.197.47]) (Authenticated sender: web104p1) by host64.kissl.de (Postfix) with ESMTPSA id 1F88CB00F01; Tue, 2 Jun 2015 17:16:56 +0200 (CEST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\)) Subject: Re: scope of private libraries From: Franco Fichtner In-Reply-To: Date: Tue, 2 Jun 2015 17:16:55 +0200 Cc: Benjamin Kaduk , freebsd-security Content-Transfer-Encoding: quoted-printable Message-Id: <7C328F06-A37A-4A1D-922E-A077FBABA306@lastsummer.de> References: <201506010138.t511cp2P088983@gw.catspoiler.org> <2C5684F6-5D01-42BE-A7BD-13DD88040128@lastsummer.de> <936D98CC-EC18-4274-B79D-13320CD398D5@lastsummer.de> To: Kimmo Paasiala X-Mailer: Apple Mail (2.2098) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Jun 2015 15:16:58 -0000 > On 02 Jun 2015, at 16:50, Kimmo Paasiala wrote: >=20 > Even if the base system OpenSSL was modularized using pkg it would be > still subject to ABI stability requirements. In other words it would > be stuck at the version or versions that are 100% ABI compatible with > one installed initially on the first minor version of the same major > version line. Only critical security fixes would be backported to it > exactly as it is done now with the base system OpenSSL. OpenSSL base is only used by base, unexposed. All ports are built against OpenSSL from ports. I don=E2=80=99t see the ABI problem. pkgng takes care of updating shared library dependencies and ABI changes. We can already move OPNsense installations from OpenSSL to LibreSSL and back without a flinch. The real issue are hand-rolled production systems that rely on a stable crypto API because someone did not want to add a ports/packages workflow to implement proper dependency tracking. I don=E2=80=99t think = that has worked out particularly well. ;) Cheers, Franco=