From owner-freebsd-security@FreeBSD.ORG  Wed Jun 11 14:00:01 2014
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id DFC08611
 for <freebsd-security@freebsd.org>; Wed, 11 Jun 2014 14:00:01 +0000 (UTC)
Received: from freefall.freebsd.org (freefall.freebsd.org
 [IPv6:2001:1900:2254:206c::16:87])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id CBDD92AB3;
 Wed, 11 Jun 2014 14:00:01 +0000 (UTC)
Received: from janderson.engr.mun.ca (localhost [127.0.0.1])
 by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s5BDxxCJ057701;
 Wed, 11 Jun 2014 14:00:00 GMT (envelope-from jonathan@FreeBSD.org)
Message-ID: <539860DE.9080609@FreeBSD.org>
Date: Wed, 11 Jun 2014 11:29:58 -0230
From: Jonathan Anderson <jonathan@FreeBSD.org>
User-Agent: Postbox 3.0.11 (Macintosh/20140602)
MIME-Version: 1.0
To: Dan Lukes <dan@obluda.cz>
Subject: Re: OpenSSL end of life
References: <CAG5KPzyYzcu0qF9m2Fjgh7tTC=RrSMpxzHiDX5zD8_U_aB8k2A@mail.gmail.com>	<5398482C.7020406@obluda.cz>
 <CAG5KPzxQm1ayF=p5pAsttHvxoAOFvNTvxhe6AS-auX27mxdywg@mail.gmail.com>
 <539859BC.2050303@obluda.cz>
In-Reply-To: <539859BC.2050303@obluda.cz>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: freebsd-security <freebsd-security@freebsd.org>, Ben Laurie <ben@links.org>
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Jun 2014 14:00:02 -0000

Dan Lukes wrote:
 > 9.3 can be patched during it's lifetime, but 9.3-pX and 9.3-pY needs 
to be binary compatible.
 >
 > If it is not compatible, then it's no 9.3 anymore.
 >
 >> One modification I'd be prepared to contemplate is that 1.0.1 (for
 >> example) is supported for some known period of time, even if it should
 >> be EOL according to the versioning scheme. The question is: how long?
 >> Sounds like you'd want 2 years.
 >
 > Almost acceptable for me.
 >
 > I wish to save 2year lifetime period for FreeBSD.


Once we officially move to the 5-year branch lifetime, even a 2-year 
OpenSSL lifetime becomes problematic. It seems to me that the only 
solution is to remove the ABI promise on OpenSSL: move the base system's 
libcrypt.so into /usr/lib/private. Installed packages would have to 
depend on (up-to-date) OpenSSL from the ports tree, where 2 years might 
be long enough to do the EOL dance.

The problem with this approach is that pkg itself is a package and it 
needs to verify signatures to bootstrap itself before installing any 
OpenSSL package. Perhaps we can come up with a minimal API (ideally one 
function) whose ABI we can continue to support even as we change 
libcrypt versions under the hood.


Jon
-- 
Jonathan Anderson
jonathan@FreeBSD.org