Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 9 Apr 2014 15:44:53 -0400
From:      Nathan Dorfman <na@rtfm.net>
To:        =?UTF-8?Q?Dag=2DErling_Sm=C3=B8rgrav?= <des@des.no>
Cc:        freebsd-security@freebsd.org, Kimmo Paasiala <kpaasial@icloud.com>, Walter Hop <freebsd@spam.lifeforms.nl>, Pawel Biernacki <pawel.biernacki@gmail.com>
Subject:   Re: Proposal
Message-ID:  <CADgEyUstkxO1i_B9Qsw=K9qT=nrh9evhv8VekMdNKauOQFN6dg@mail.gmail.com>
In-Reply-To: <867g6y1kfe.fsf@nine.des.no>
References:  <9eeba1ab-2ab0-4188-82aa-686c5573a5db@me.com> <8D81F198-36A7-47F4-B486-DA059910A6B4@spam.lifeforms.nl> <867g6y1kfe.fsf@nine.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help 
First, the (unfortunately) necessary disclaimer: this is an honest
question to satisfy my curiosity, nothing more. Absolutely no
criticism of anyone is intended.

Is it implausible to suggest that before embarking on the task of
backporting, reviewing, testing and releasing the actual fix, an
announcement could have been made immediately with the much simpler
workaround of adding -DOPENSSL_NO_HEARTBEATS to the OpenSSL compiler
flags?

Given the severity of the issue, it doesn't seem that an immediate
advisory stating "here's an immediate workaround, a full fix will be
coming in the next day or two" would be terribly inappropriate.
Perhaps this workaround would have required more testing than I
imagine, but surely it'd be a tiny fraction of the time required to
release the full fix?

While I'm out here drawing fire, I might as well also ask if I'm crazy
to think that it might be a good idea for the base system OpenSSL (and
other third party imports) to just disable any and all non-essential
functionality that can be disabled at compile time? Non-essential
meaning everything not required for the base system to function --
there's always the ports version if anyone needs more.

Thanks for your thoughts, and of course, your ongoing efforts. They
are much appreciated.

-nd.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CADgEyUstkxO1i_B9Qsw=K9qT=nrh9evhv8VekMdNKauOQFN6dg>