From owner-freebsd-questions@FreeBSD.ORG Sat Mar 3 13:01:40 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A4739106566C for ; Sat, 3 Mar 2012 13:01:40 +0000 (UTC) (envelope-from c.kworr@gmail.com) Received: from mail-ey0-f182.google.com (mail-ey0-f182.google.com [209.85.215.182]) by mx1.freebsd.org (Postfix) with ESMTP id 29E5A8FC13 for ; Sat, 3 Mar 2012 13:01:39 +0000 (UTC) Received: by eaaf13 with SMTP id f13so907631eaa.13 for ; Sat, 03 Mar 2012 05:01:39 -0800 (PST) Received-SPF: pass (google.com: domain of c.kworr@gmail.com designates 10.213.112.195 as permitted sender) client-ip=10.213.112.195; Authentication-Results: mr.google.com; spf=pass (google.com: domain of c.kworr@gmail.com designates 10.213.112.195 as permitted sender) smtp.mail=c.kworr@gmail.com; dkim=pass header.i=c.kworr@gmail.com Received: from mr.google.com ([10.213.112.195]) by 10.213.112.195 with SMTP id x3mr634694ebp.277.1330779699290 (num_hops = 1); Sat, 03 Mar 2012 05:01:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=4jTpc3lFYlYLhKN8aUFMVZK1iQyU1XK+3bCuuRLDn4I=; b=mhIkewXT/cn24lPtWFqppYkPlaOW/jE8cz+We3/oCs9HhCck3bzHRmDc1KMqfquSoq 2ORB5q+SxpwYejgbTzN3fzylCAkxU1zE1HykGwIwoeFxPJOBwSwS7jLD+Ko/GdexBk1s NuGZiTraD5KaqJbvvGcsN/Xnja1hoAO1JZvAQcp/bMXeo+xofp11ISjmf7mxo0vMS20e MSdF2ORd8Gapp0BFmbLz3Z6c/qqn1PX5T2xdqbp/zultZz9oN3nShovuh/R2L7ALH8we 3noLhxsr+TDXq3coqxTOpRScfWAztlqFnihpL8+uYgCpO3R6E4CkT3YzmARqGKpD6A3V Mtsg== Received: by 10.213.112.195 with SMTP id x3mr497898ebp.277.1330779699179; Sat, 03 Mar 2012 05:01:39 -0800 (PST) Received: from green.tandem.local (73-193-200-46.pool.ukrtel.net. [46.200.193.73]) by mx.google.com with ESMTPS id n17sm33821578eei.3.2012.03.03.05.01.37 (version=SSLv3 cipher=OTHER); Sat, 03 Mar 2012 05:01:38 -0800 (PST) Message-ID: <4F521630.80108@gmail.com> Date: Sat, 03 Mar 2012 15:01:36 +0200 From: Volodymyr Kostyrko User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:10.0.2) Gecko/20120220 Firefox/10.0.2 SeaMonkey/2.7.2 MIME-Version: 1.0 To: Matthew Seaman References: <86fwdqvf2x.fsf@red.stonehenge.com> <20120302171631.775dd715@scorpio> <867gz2vdtg.fsf@red.stonehenge.com> <20120302182156.58c10d82@scorpio> <4F515B24.9050406@infracaninophile.co.uk> <20120303071958.0c963330@scorpio> <4F52134E.1090408@infracaninophile.co.uk> In-Reply-To: <4F52134E.1090408@infracaninophile.co.uk> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: openssl from ports X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 03 Mar 2012 13:01:40 -0000 Matthew Seaman wrote: >>> Stable/9, but this hasn't changed in 9.0-RELEASE: >>> >>> worm:~:# /usr/bin/openssl version >>> OpenSSL 0.9.8q 2 Dec 2010 >> >> Matthew, why does FreeBSD continue to use an older version of OPENSSL >> for the base system when a newer version is available? While I could >> understand, even if not fully approve the use of an older version in >> the same major version, its continues use as the de facto standard in an >> entirely new major version release is counter productive. There have >> been many improvements in the 1.x release of OPENSSL so I fail to see >> the logical use of the older version. If anything, they (the FreeBSD >> developers) could keep this older version available in the ports system >> and use the newer version as the default in the base system. > > Unfortunately I can't answer that. I'm not in any position to decide > such things. > > However I can hazard a guess at some of the possible reasons: > > * openssl API changes between 0.9.x and 1.0.0 mean updating the > shlibs is not a trivial operation, and it was judged that the > benefits obtained from updating did not justify the effort. > > * no one had any time to import the new version. There's plenty of > security-critical stuff depending on openssl, and making sure all > of that didn't suffer from any regressions is not a trivial job. > > * simply that no one thought of doing the upgrade. Actually there is something weird about openssl maintenance: http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/163951 I asked in the lists, bugged different persons and still can't get clear answer about this vulnerability. You know I'm just not feeling safe with ECDSA keys... -- Sphinx of black quartz judge my vow.