From owner-freebsd-arch Thu Aug 1 13:36:10 2002 Delivered-To: freebsd-arch@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 01AC737B400 for ; Thu, 1 Aug 2002 13:36:04 -0700 (PDT) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2974843E65 for ; Thu, 1 Aug 2002 13:36:03 -0700 (PDT) (envelope-from nectar@nectar.cc) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id 92C9A9; Thu, 1 Aug 2002 15:36:02 -0500 (CDT) Received: from madman.nectar.cc (localhost [IPv6:::1]) by madman.nectar.cc (8.12.3/8.12.3) with ESMTP id g71Ka2U4027436; Thu, 1 Aug 2002 15:36:02 -0500 (CDT) (envelope-from nectar@madman.nectar.cc) Received: (from nectar@localhost) by madman.nectar.cc (8.12.3/8.12.3/Submit) id g71Ka2wh027435; Thu, 1 Aug 2002 15:36:02 -0500 (CDT) Date: Thu, 1 Aug 2002 15:36:02 -0500 From: "Jacques A. Vidrine" To: Terry Lambert Cc: Mikhail Teterin , Alexandr Kovalenko , arch@FreeBSD.ORG Subject: Re: OpenSSL vs. -lmd Message-ID: <20020801203601.GA27367@madman.nectar.cc> References: <200207311641.g6VGfRWj099655@freefall.freebsd.org> <20020801143059.GA536@nevermind.kiev.ua> <200208011151.55478.mi+mx@aldan.algebra.com> <3D498FB4.6987B696@mindspring.com> <20020801195640.GQ26797@madman.nectar.cc> <3D4998F9.A736EA85@mindspring.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3D4998F9.A736EA85@mindspring.com> X-Url: http://www.nectar.cc/ User-Agent: Mutt/1.5.1i-ja.1 Sender: owner-freebsd-arch@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Aug 01, 2002 at 01:24:25PM -0700, Terry Lambert wrote: > "Jacques A. Vidrine" wrote: > > > and is so mixed up > > > in various code that it's hard to keep up with changes for > > > security updates. > > > > Updating it required only some very minor build-infrastructure changes > > outside of src/crypto/openssl. I'm not sure what you mean here. > > It is hard to update to the latest version of the code on a > FreeBSD 4.6-RELEASE box. I still don't follow. # cd /usr/src # patch -s < /path/to/openssl.patch Done. > > > whereas the > > > other things that come with the package can change rather > > > frequently, since they speak to policy. > > > > I don't understand. > > Code which implements policy. That's what I don't understand. To what code (that implements policy) are you referring? > > > Consider that it is very hard to use an updated OpenSSL (e.g. > > > 0.9.7-Beta or 0.9.6e) with FreeBSD these days. > > > > Hmm, all versions of FreeBSD have OpenSSL 0.9.6e. > > Even those released before 0.9.6e was available? We may be talking past each other ... 4.4-RELEASE, 4.5-RELEASE, and 4.6-RELEASE may all be trivially upgraded to OpenSSL 0.9.6e using either `patch' or `cvsup'. All of these were released prior to the existence of OpenSSL 0.9.6e. > > > I haven't looked > > at 0.9.7 personally, but I can't imagine what would prevent one from > > using it on FreeBSD. > > The same thing that prevents people from using the newer > BIND resolver libraries: the code is maintained seperately > from the FreeBSD project by an outside third party. Oh, you mean it is non-trivial to have the FreeBSD base utilities build against a newer OpenSSL? Yes, I'm don't doubt that could be true, particularly if the API has changed. But as usual I'm too dense to get your point. > No. I mean that I can't build something that will build on > FreeBSD *and* build on some other platform, without having > to inventory all of the implicitly installed packages on FreeBSD > to know which OpenSSL I'm getting. That's not true --- there are plenty of applications which use OpenSSL, and that build find on FreeBSD and other platforms, without explicit knowledge of what FreeBSD has or does not have in the base system. I can't help but feel that I am completely missing your meaning, since surely you cannot be unaware of that fact, or of the existence and function of things like `autoconf' designed to address that exact issue. > > I'm not sure how providing duplicate implementations of the digest > > functions is useful or desirable. I'm in no hurry to ditch libmd, but > > I do hope to get around to it someday. > > Duplicate functions aren't desirable, but someone imported the > OpenSSL implementations anyway. 8-). :-) Cheers, -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message