Date: Wed, 11 Jun 2014 16:21:09 -0700 From: "Constantine A. Murenin" <mureninc@gmail.com> To: Jonathan Anderson <jonathan@freebsd.org> Cc: Dan Lukes <dan@obluda.cz>, freebsd-security <freebsd-security@freebsd.org>, Ben Laurie <ben@links.org> Subject: Re: OpenSSL end of life Message-ID: <CAPKkNb7v5tuHedouvncopgh5Q6vveoHw62Ss5PKniTMHHDn1FQ@mail.gmail.com> In-Reply-To: <539860DE.9080609@FreeBSD.org> References: <CAG5KPzyYzcu0qF9m2Fjgh7tTC=RrSMpxzHiDX5zD8_U_aB8k2A@mail.gmail.com> <5398482C.7020406@obluda.cz> <CAG5KPzxQm1ayF=p5pAsttHvxoAOFvNTvxhe6AS-auX27mxdywg@mail.gmail.com> <539859BC.2050303@obluda.cz> <539860DE.9080609@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 11 June 2014 06:59, Jonathan Anderson <jonathan@freebsd.org> wrote:
> Dan Lukes wrote:
>> 9.3 can be patched during it's lifetime, but 9.3-pX and 9.3-pY needs to be
>> binary compatible.
>>
>> If it is not compatible, then it's no 9.3 anymore.
>>
>>> One modification I'd be prepared to contemplate is that 1.0.1 (for
>>> example) is supported for some known period of time, even if it should
>>> be EOL according to the versioning scheme. The question is: how long?
>>> Sounds like you'd want 2 years.
>>
>> Almost acceptable for me.
>>
>> I wish to save 2year lifetime period for FreeBSD.
>
>
> Once we officially move to the 5-year branch lifetime, even a 2-year OpenSSL
> lifetime becomes problematic. It seems to me that the only solution is to
> remove the ABI promise on OpenSSL: move the base system's libcrypt.so into
> /usr/lib/private. Installed packages would have to depend on (up-to-date)
> OpenSSL from the ports tree, where 2 years might be long enough to do the
> EOL dance.
>
> The problem with this approach is that pkg itself is a package and it needs
> to verify signatures to bootstrap itself before installing any OpenSSL
> package. Perhaps we can come up with a minimal API (ideally one function)
> whose ABI we can continue to support even as we change libcrypt versions
> under the hood.
BTW, this crypto bootstrapping problem has already been addressed by
OpenBSD earlier this year through the development of a lightweight
one-algorithm-fits-all signature utility called signify(1).
http://mdoc.su/o/signify.1
http://bxr.su/o/usr.bin/signify/signify.c
http://www.tedunangst.com/flak/post/signify
http://bsd.slashdot.org/story/14/01/19/0124202/openbsd-moving-towards-signed-packages-based-on-d-j-bernstein-crypto
C.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPKkNb7v5tuHedouvncopgh5Q6vveoHw62Ss5PKniTMHHDn1FQ>