Date: Wed, 11 Jun 2014 14:00:51 +0100 From: Ben Laurie <ben@links.org> To: Dan Lukes <dan@obluda.cz> Cc: freebsd-security <freebsd-security@freebsd.org> Subject: Re: OpenSSL end of life Message-ID: <CAG5KPzxQm1ayF=p5pAsttHvxoAOFvNTvxhe6AS-auX27mxdywg@mail.gmail.com> In-Reply-To: <5398482C.7020406@obluda.cz> References: <CAG5KPzyYzcu0qF9m2Fjgh7tTC=RrSMpxzHiDX5zD8_U_aB8k2A@mail.gmail.com> <5398482C.7020406@obluda.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
On 11 June 2014 13:14, Dan Lukes <dan@obluda.cz> wrote: > On 06/11/14 11:32, Ben Laurie: > >> Going forward we would only maintain two versions, so when 1.0.3 comes >> out, 1.0.1 would be EOL. > > > So, the date of EOL of 1.0.1 will not be known. Just some day the 1.0.3 will > be released and 1.0.1 become damned. It won't be a huge surprise, because we always have a series of betas. > Also, I consider its not so friendly to projects using the OpenSSL. > > Some of them wish to declare lifetime of particular version at the time of > release. It will be possible no longer as embedded OpenSSL may become > obsolete at any time. This is already true, because of bugs. And, in practice, no version of OpenSSL (or anything else, pretty much) has a lifetime such that you can safely make a non-upgradeable product from it. In other words, the idea that you can pre-declare a lifetime is fantasy. > What about ongoing FreeBSD 9.3 release ? According tradition, it's EOL > should occur two years past release. But what we will do if embedded version > of OpenSSL become unsupported just this winter ? I don't know - for a start, just because the OpenSSL team don't support it, that doesn't mean others can't backport fixes. Alternatively, can 9.3 not upgrade to a newer OpenSSL? > I need to make long term upgrade plans. Not happy with "as OpenSSL declared > EOL, your version of FreeBSD has been EOLed as well. Upgrade NOW (or within > two weeks - it's no substantial difference for me)" One modification I'd be prepared to contemplate is that 1.0.1 (for example) is supported for some known period of time, even if it should be EOL according to the versioning scheme. The question is: how long? Sounds like you'd want 2 years. According to that scheme, 1.0.1 was eligible for EOL in March 2014. > > > Just my $0.02 ... > > Dan >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAG5KPzxQm1ayF=p5pAsttHvxoAOFvNTvxhe6AS-auX27mxdywg>