Date: Thu, 10 Apr 2014 07:56:37 -0700 From: Paul Hoffman <paul.hoffman@vpnc.org> To: freebsd-security@freebsd.org Cc: Pawel Biernacki <pawel.biernacki@gmail.com> Subject: A different proposal Message-ID: <C8D2649E-4BD0-4124-9915-CCE1DCCB1A6A@vpnc.org> In-Reply-To: <CAA3htvv_DePi_A-UjtG0hvybfRSE8KgvSjq5m3yM0FGX9%2BL6QQ@mail.gmail.com> References: <9eeba1ab-2ab0-4188-82aa-686c5573a5db@me.com> <8D81F198-36A7-47F4-B486-DA059910A6B4@spam.lifeforms.nl> <867g6y1kfe.fsf@nine.des.no> <CAA3htvv_DePi_A-UjtG0hvybfRSE8KgvSjq5m3yM0FGX9%2BL6QQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Apr 9, 2014, at 3:46 PM, Pawel Biernacki <pawel.biernacki@gmail.com> = wrote: > Since such situations had happened in the past and are still > happening, something should be done about them. Quite right. It is reasonable to assume that, given what we now know = about the memory allocation scheme in OpenSSL, that other bugs exist and = will only be found by exploits. Thus, it is reasonable to assume that = there will be future emergencies like Heartbleed related to bugs in = OpenSSL. If your reliance on OpenSSL bugs being fixed requires a fix at a rate = faster than what the FreeBSD community provides, then you should not = rely on the FreeBSD community. Install OpenSSL on your mission-critical = systems from OpenSSL source, not from FreeBSD ports or packages. The = OpenSSL source will always be updated before the FreeBSD community fixes = are released. --Paul Hoffman (who will continue to rely on the FreeBSD community for = OpenSSL, and is in fact terribly grateful for the volunteers who did = this work as quickly as they did)=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?C8D2649E-4BD0-4124-9915-CCE1DCCB1A6A>