Date: Wed, 11 Jun 2014 11:29:58 -0230 From: Jonathan Anderson <jonathan@FreeBSD.org> To: Dan Lukes <dan@obluda.cz> Cc: freebsd-security <freebsd-security@freebsd.org>, Ben Laurie <ben@links.org> Subject: Re: OpenSSL end of life Message-ID: <539860DE.9080609@FreeBSD.org> In-Reply-To: <539859BC.2050303@obluda.cz> References: <CAG5KPzyYzcu0qF9m2Fjgh7tTC=RrSMpxzHiDX5zD8_U_aB8k2A@mail.gmail.com> <5398482C.7020406@obluda.cz> <CAG5KPzxQm1ayF=p5pAsttHvxoAOFvNTvxhe6AS-auX27mxdywg@mail.gmail.com> <539859BC.2050303@obluda.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
Dan Lukes wrote: > 9.3 can be patched during it's lifetime, but 9.3-pX and 9.3-pY needs to be binary compatible. > > If it is not compatible, then it's no 9.3 anymore. > >> One modification I'd be prepared to contemplate is that 1.0.1 (for >> example) is supported for some known period of time, even if it should >> be EOL according to the versioning scheme. The question is: how long? >> Sounds like you'd want 2 years. > > Almost acceptable for me. > > I wish to save 2year lifetime period for FreeBSD. Once we officially move to the 5-year branch lifetime, even a 2-year OpenSSL lifetime becomes problematic. It seems to me that the only solution is to remove the ABI promise on OpenSSL: move the base system's libcrypt.so into /usr/lib/private. Installed packages would have to depend on (up-to-date) OpenSSL from the ports tree, where 2 years might be long enough to do the EOL dance. The problem with this approach is that pkg itself is a package and it needs to verify signatures to bootstrap itself before installing any OpenSSL package. Perhaps we can come up with a minimal API (ideally one function) whose ABI we can continue to support even as we change libcrypt versions under the hood. Jon -- Jonathan Anderson jonathan@FreeBSD.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?539860DE.9080609>