From owner-freebsd-security@FreeBSD.ORG  Wed Apr  9 21:20:00 2014
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id C532EB02;
 Wed,  9 Apr 2014 21:20:00 +0000 (UTC)
Received: from anubis.delphij.net (anubis.delphij.net
 [IPv6:2001:470:1:117::25])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "anubis.delphij.net",
 Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id A274B11A2;
 Wed,  9 Apr 2014 21:20:00 +0000 (UTC)
Received: from zeta.ixsystems.com (unknown [69.198.165.132])
 (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by anubis.delphij.net (Postfix) with ESMTPSA id 8AF8F13004;
 Wed,  9 Apr 2014 14:19:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=delphij.net;
 s=anubis; t=1397078400;
 bh=A7J1T6FRR7EvJvdxhe6E7mX98jgOosR51zxYxuJfG4s=;
 h=Date:From:Reply-To:To:CC:Subject:References:In-Reply-To;
 b=2WMgVO9U8qbEOxt0QMP04NKjLoW53sGE8ekQ1BNBihKpmsRazJ4GAespTMBrRfNm8
 7uUfmckxugWiGgR3PTGOfE5eSsX3Uj8VpaY3RbI7+nKTCQF5cEuLY2oXIBjAcw+kRJ
 GKgtXpJCePsM14pBfCclGDsxO6rQIXPoS9TzHzjo=
Message-ID: <5345B97E.6000802@delphij.net>
Date: Wed, 09 Apr 2014 14:19:58 -0700
From: Xin Li <delphij@delphij.net>
Organization: The FreeBSD Project
MIME-Version: 1.0
To: freebsd-security@freebsd.org
Subject: Re: Proposal
References: <9eeba1ab-2ab0-4188-82aa-686c5573a5db@me.com>
 <8D81F198-36A7-47F4-B486-DA059910A6B4@spam.lifeforms.nl>
 <867g6y1kfe.fsf@nine.des.no>
 <CADgEyUstkxO1i_B9Qsw=K9qT=nrh9evhv8VekMdNKauOQFN6dg@mail.gmail.com>
 <86d2gqz2he.fsf@nine.des.no>
 <CADgEyUuz1YU7qPkKmydOaGT++3tK4LZZU3-1AsK5jssSkQiLYw@mail.gmail.com>
In-Reply-To: <CADgEyUuz1YU7qPkKmydOaGT++3tK4LZZU3-1AsK5jssSkQiLYw@mail.gmail.com>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Cc: Ben Laurie <benl@freebsd.org>, Jung-uk Kim <jkim@freebsd.org>
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: d@delphij.net
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Apr 2014 21:20:00 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 04/09/14 13:39, Nathan Dorfman wrote:
> Moving on, is it not worth talking about going in and defining
> every -DOPENSSL_NO_* flag that exists and doesn't break the base
> system? On the simple grounds that there appears to be little to be
> gained from this kind of feeping creaturism, and plenty, as it
> turns out, to be lost. Of course, maybe the resulting build won't
> even work, or at least not work without significant effort. So this
> is more of a question than an actual suggestion.

I'm not sure how well this can be done (see below), but that can be
done in -HEAD for experiment at least.

All -STABLE branches are considered as API/ABI frozen which means if
we remove a functionality, they could break existing applications that
happens to work for a previous FreeBSD release, so this may cause
problems for -STABLE branches as application would see loss of
functionality.  So this is less likely to happen (IMO).

Another orthogonal thought is that we should probably remove the
static libraries of OpenSSL from -HEAD now (they will still be built
and maybe used in the base system when static binary is absolutely
needed).  This will make it easier to make sure that the system is
clean of outdated OpenSSL bits when updating the libraries.

Cheers,
- -- 
Xin LI <delphij@delphij.net>    https://www.delphij.net/
FreeBSD - The Power to Serve!           Live free or die
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)

iQIcBAEBCgAGBQJTRbl+AAoJEJW2GBstM+ns0XEQAIJxEjq3UdiQjo4NWwVpm6kl
w/u67x3FoKehxngcmb2b+Y32C/+guWwz9gvAFnQ2cGH7EUhipxYWmcexYYg7/x3w
Wl0S1StI8ib3lnnv87nvGjqPEb+N/DtvduvjjnjklNaDbUAYMiE2zWnjK7KNQ5Le
iKa0WJFSJtHocF0xk8yd9CSK61crC2Cl9rYYhobUKQAEVmoAadM8vVgcK1cP2O1l
J4QaYI+TZ0f1Jq+0N31y4Apei3vo9WW+OytHXyCRdsmjChLDvujy7tZ1u8iJignu
VV2/zUiUCP4ULQUtn6lN0V2yLdqQjiW0SYMzwkOY0cAZNTTRmj/iLSPSf1RMSjxl
MxjNM4TCp/xU20PfZZicE72BNuDctOhcE40WiZ4nhpKNHXBaD7+uy4CdUsFsae50
a8TFVoy5mPFEUq9MRvO/cxvVgdRxtEpDaEROGYFbWDDzjOHJ+vP0NvPRep6SBkUw
b5OIZ73YU93kAMs/Ow7D3rlHsgnQ+E0Hgg9jeLc5iK2nWQhbKauY2GVJNtWjfoEV
10WSRSTmlVOS6S+VJwKmbAV5pc2XXgS1mq1i23S09Q4KnxS+xIvryMopYnA6qJFM
cZ4rYK4FRg0JYm/gHmoCFhNuD9ZozUd+Lkhkoj/zT/ZPluvzFYFwsqxoLma/MGrt
8bUUa5K1COCDFqn8ECQp
=C17j
-----END PGP SIGNATURE-----