Date: Sun, 27 Apr 2014 08:29:01 -0700 From: Paul Hoffman <paul.hoffman@vpnc.org> To: freebsd-security@freebsd.org Subject: Re: ports requiring OpenSSL not honouring OpenSSL from ports Message-ID: <AFCC7276-2C8F-423E-A417-AE492F5162E6@vpnc.org> In-Reply-To: <201404271508.s3RF8sMA014085@catnip.dyslexicfish.net> References: <201404271508.s3RF8sMA014085@catnip.dyslexicfish.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Apr 27, 2014, at 8:08 AM, Jamie Landeg-Jones <jamie@dyslexicfish.net> = wrote: > Basically what I'm asking: Shouldn't a port that uses OpenSSL *always* > build against the port if it's installed? Yes, that is a reasonable expectation. I certainly had it in my head = when I rebuilt Sendmail+TLS after heartbleed, but I didn't think of = checking it. > I realise this isn't always possible to test, especially if the port = Makefile > doesn't have any openSSL configuration options, but I'd like to hear > others opinions on the matter. It would be good to add such options to as many ports as possible if it = can be done cleanly. Also, note that this is not bashing on OpenSSL: given their new = significant funding, I would certainly expect the OpenSSL project to be = finding-and-fixing Heartbleed-level bugs repeatedly in the coming years. = It is basically impossible to fix such a bug without bad actors being = able to determine and exploit some of the fixes in unpatched systems. --Paul Hoffman=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AFCC7276-2C8F-423E-A417-AE492F5162E6>