Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 03 Mar 2012 15:01:36 +0200
From:      Volodymyr Kostyrko <c.kworr@gmail.com>
To:        Matthew Seaman <m.seaman@infracaninophile.co.uk>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: openssl from ports
Message-ID:  <4F521630.80108@gmail.com>
In-Reply-To: <4F52134E.1090408@infracaninophile.co.uk>
References:  <86fwdqvf2x.fsf@red.stonehenge.com> <20120302171631.775dd715@scorpio> <867gz2vdtg.fsf@red.stonehenge.com> <20120302182156.58c10d82@scorpio> <4F515B24.9050406@infracaninophile.co.uk> <20120303071958.0c963330@scorpio> <4F52134E.1090408@infracaninophile.co.uk>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Matthew Seaman wrote:
>>> Stable/9, but this hasn't changed in 9.0-RELEASE:
>>>
>>> worm:~:# /usr/bin/openssl version
>>> OpenSSL 0.9.8q 2 Dec 2010
>>
>> Matthew, why does FreeBSD continue to use an older version of OPENSSL
>> for the base system when a newer version is available? While I could
>> understand, even if not fully approve the use of an older version in
>> the same major version, its continues use as the de facto standard in an
>> entirely new major version release is counter productive. There have
>> been many improvements in the 1.x release of OPENSSL so I fail to see
>> the logical use of the older version. If anything, they (the FreeBSD
>> developers) could keep this older version available in the ports system
>> and use the newer version as the default in the base system.
>
> Unfortunately I can't answer that.  I'm not in any position to decide
> such things.
>
> However I can hazard a guess at some of the possible reasons:
>
>     * openssl API changes between 0.9.x and 1.0.0 mean updating the
>       shlibs is not a trivial operation, and it was judged that the
>       benefits obtained from updating did not justify the effort.
>
>     * no one had any time to import the new version.  There's plenty of
>       security-critical stuff depending on openssl, and making sure all
>       of that didn't suffer from any regressions is not a trivial job.
>
>     * simply that no one thought of doing the upgrade.

Actually there is something weird about openssl maintenance:

http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/163951

I asked in the lists, bugged different persons and still can't get clear 
answer about this vulnerability.

You know I'm just not feeling safe with ECDSA keys...

-- 
Sphinx of black quartz judge my vow.



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?4F521630.80108>