Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 12 Apr 2006 21:07:11 +0200
From:      martinko <martinkov@pobox.sk>
To:        freebsd-questions@freebsd.org
Subject:   Re: upcoming release 6.1: old version of some core components
Message-ID:  <e1jj4v$64i$1@sea.gmane.org>
In-Reply-To: <20060412184851.GA25677@xor.obsecurity.org>
References:  <443BAE40.9050704@dial.pipex.com>	<001301c65d7f$0b9dab70$dededede@avalon.lan>	<20060411203727.GA90177@xor.obsecurity.org>	<e1jhn4$vhe$1@sea.gmane.org> <20060412184851.GA25677@xor.obsecurity.org>

next in thread | previous in thread | raw e-mail | index | archive | help
Kris Kennaway wrote:
> On Wed, Apr 12, 2006 at 08:42:44PM +0200, martinko wrote:
> 
>>Kris Kennaway wrote:
>>
>>>On Tue, Apr 11, 2006 at 05:46:06PM +0200, No@SPAM@mgEDV.net wrote:
>>>
>>>
>>>>
>>>>>I can't answer you main question, but I would say that you can bet your 
>>>>>shirt on the fact that there will be no known security issues in the 
>>>>>older packages.
>>>>
>>>>>At least for openssl and openssh you can get latest versions through the 
>>>>>ports.  Not an option for everything -- I see no zlib for example and I 
>>>>>don't believe there's a standard cvs port either.
>>>>
>>>>as for zlib i definitely know, that there are 2 security flaws, which can
>>>>lead to problems when invalid compressed data is feeded.
>>>
>>>
>>>Already fixed as soon as they were published.  Are there other reasons
>>>to upgrade?
>>>
>>>
>>>
>>>>my problem also is not the installation of ports/packages/custom compiles,
>>>>it's more that the operating system components itself are linked against
>>>>these older libraries an therefore will contain bugs, which may have been
>>>>already solved.
>>>
>>>
>>>The other side of this is that newer versions are often incompatible
>>>(OpenSSL, I'm looking at you), which rules out upgrading the version
>>>in a FreeBSD-STABLE branch since it ruins binary compatibility.
>>>
>>>Kris
>>
>>one may wonder why they change very minor version number/letter only, if
>>the changes are so disturbing..
> 
> 
> It's more that they don't have the foresight and discipline not to
> keep breaking interfaces.  This may have changed recently, but I think
> their policy is still "until we release openssl 1.0 we make no
> promises about compatibility".
> 
> Kris


and it feels they're not going to release 1.0 any time soon.. i've been
seeing 0.9.something for longer than i can remember.

and btw i've always thought of openssl and openssh as somehow
coupled/interconnected. but openssl hasn't reached 1.0 while openssh is
already past 4. (and again it seems to me openssh changes major numbers
not according to major changes but whenever its version reaches x.9.)

funny.




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?e1jj4v$64i$1>