From owner-freebsd-current@freebsd.org Fri Dec 18 23:21:14 2015 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2BB02A4C6F8 for ; Fri, 18 Dec 2015 23:21:14 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 24D0D1B94 for ; Fri, 18 Dec 2015 23:21:13 +0000 (UTC) (envelope-from marquis@roble.com) Date: Fri, 18 Dec 2015 15:21:13 -0800 (PST) From: Roger Marquis To: freebsd-current@freebsd.org Subject: Base Packaging in 11 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Dec 2015 23:21:14 -0000 Forwarding this from freebsd-security in case anyone here can update us regarding the status of base packaging or has URLs for projects/release-pkg. Roger >Date: Fri, 18 Dec 2015 14:21:04 -0800 (PST) >To: freebsd-security@freebsd.org >Subject: Re: [OpenSSL] /etc/ssl/cert.pem not honoured by default > >rhi wrote: >>> Until now, I have avoided installing the OpenSSL port because the base >>> OpenSSL gets security updates via freebsd-update and so it's one thing less >>> to care about... also, I don't like the idea of having two different >>> versions of the same thing on the system > >A fair number of sites have this issue, particularly with ssl and ssh >binaries. IME this one of FreeBSD's more longstanding administrative and >security weaknesses. It is paricularly painful for those of us who have >to support a release for several years (after the last base update). > >>> Or is it recommended to let ports use the port OpenSSL, so that base OpenSSL >>> is only used for the system itself? > >If you need the most recent ciphers and protocols you'll normally need to >use the port. Features are backported from the (higher) port version to >the base version i.e., without bumping the version string, however, it's >not clear whether all applications can take advantage of them. > >Matthew Seaman wrote: >> There are plans to make many of the base system shlibs private and that >> includes switching the ports to use openssl from ports, but I don't think >> any changes along those lines are really imminent. > >Are you Sure? 3 months ago DES thought they'd be ready for 11: > > > The plan is for 11 to have a fully packaged base system. There should > > be some information in developer summit reports on the wiki. The code > > is in projects/release-pkg. > >However I don't see a projects/release-pkg dir in -CURRENT. > >Any recommendations as to how we might help this particular effort?