Date: Tue, 4 Oct 2016 18:30:50 -0400 From: Jung-uk Kim <jkim@FreeBSD.org> To: Ngie Cooper <yaneurabeya@gmail.com>, roger@purplecat.net Cc: freebsd-hackers@freebsd.org, des@FreeBSD.org Subject: Re: Reported version numbers of base openssl and sshd Message-ID: <9e7742fa-a995-b58f-8cd3-30d77d4fab6c@FreeBSD.org> In-Reply-To: <2530D2B9-F7EA-4A12-A596-1B2BF4B83AAF@gmail.com> References: <01eb01d21e52$4a7f1640$df7d42c0$@net> <2530D2B9-F7EA-4A12-A596-1B2BF4B83AAF@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --HTW8oXIijwdqsQUrBg7FsMv90PU4CWDDI Content-Type: multipart/mixed; boundary="oKAvrNIKLxHk4W1NQ8Po1R4drJVUPiTlm"; protected-headers="v1" From: Jung-uk Kim <jkim@FreeBSD.org> To: Ngie Cooper <yaneurabeya@gmail.com>, roger@purplecat.net Cc: freebsd-hackers@freebsd.org, des@FreeBSD.org Message-ID: <9e7742fa-a995-b58f-8cd3-30d77d4fab6c@FreeBSD.org> Subject: Re: Reported version numbers of base openssl and sshd References: <01eb01d21e52$4a7f1640$df7d42c0$@net> <2530D2B9-F7EA-4A12-A596-1B2BF4B83AAF@gmail.com> In-Reply-To: <2530D2B9-F7EA-4A12-A596-1B2BF4B83AAF@gmail.com> --oKAvrNIKLxHk4W1NQ8Po1R4drJVUPiTlm Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 10/04/2016 18:21, Ngie Cooper wrote: > (CCing the current maintainers for OpenSSL and ssh) >=20 >> On Oct 5, 2016, at 00:16, Roger Eddins <roger@purplecat.net> wrote: >> >> Dear Maintainers, >> >> Thank you for your excellent efforts in maintaining the FreeBSD code b= ase. =20 >> >> Question: Could version number obfuscation be added to openssl and ss= hd or >> have the proper relative patch version number reported from the binari= es in >> the base system? >> >> Reasoning: PCI compliance is becoming an extreme problem due to scann= ing >> false positives from certain vendors and a big time waster with older >> FreeBSD releases reporting the original base version number even after= patch >> updates. This is requiring us to compile/run openssl port and >> openssh-portable creating a highly unnecessary maintenance burden on o= ur >> admins when the package binaries would be sufficient if the these core= base >> components would report the latest version number. OF course, blockin= g the >> scanning engines on certain ports is an easy trick but that doesn't so= lve >> the root cause of the problem. We have a snowflake type environment f= or >> custom hosting solutions so that hopefully gives a good picture of why= using >> ports for these core components is so time consuming. >> >> If the official stance is to use openssl port and openssh-portable jus= t so >> the FreeBSD OS can report back the latest version number to PCI scanni= ng >> engines, sobeit but makes little sense at least in the context we exis= t in >> and interfacing with PCI compliance vendors. >=20 > I think this request sounds reasonable. I don't know how difficult = it might be or what exactly you have in mind version number wise.. But I'= m guessing you have a straightforward idea that could be described. As an OpenSSL maintainer for the base, I always try to merge the latest OpenSSL releases. For releng branches, so@ is in total control. Jung-uk Kim --oKAvrNIKLxHk4W1NQ8Po1R4drJVUPiTlm-- --HTW8oXIijwdqsQUrBg7FsMv90PU4CWDDI Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJX9C2eAAoJEHyflib82/FGsvkH/it4rbQWgdEIgVvAYAfFjLb8 HErCkNV8RMyovHNbtkvSCc9BKIn7Llpmu1gmhCwa2pEe8pMqjKOMDy0jiozzQKZm uJN9HnA+uPee6Gx5GBBPVSRve37X+ai4A13+YvygoPHv16ju8V8jbK2TkN+9KZH0 gZrlaDdfcpyIpXjTQA9K+ALqv1zOiLxJ2ipbXFofladHa6zK8HtlrT8DsGPiiNp4 4xg9/8O3uOHkUEBlR0tEGI3l236ELo9g+D8GcI08S/h66y5vS8mqWR5v8BV/cL0l zsmeODwS9z1lOe5kxiQNp36OMRHkraAiQak57xHCTkMgtNs53lZeqXeaLQ1jYZk= =pL2e -----END PGP SIGNATURE----- --HTW8oXIijwdqsQUrBg7FsMv90PU4CWDDI--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9e7742fa-a995-b58f-8cd3-30d77d4fab6c>