Date: Thu, 10 Apr 2014 13:40:29 -0700 From: Paul Hoffman <paul.hoffman@vpnc.org> To: Nathan Dorfman <na@rtfm.net> Cc: freebsd-security@freebsd.org, Pawel Biernacki <pawel.biernacki@gmail.com> Subject: Re: A different proposal Message-ID: <86C6A2FD-DA42-425C-9E49-4A959311955F@vpnc.org> In-Reply-To: <CADgEyUu%2B0_SWU08zxB9OpdLG_hTCoEB6V9vAA8=40qsH6S%2B%2BKA@mail.gmail.com> References: <9eeba1ab-2ab0-4188-82aa-686c5573a5db@me.com> <8D81F198-36A7-47F4-B486-DA059910A6B4@spam.lifeforms.nl> <867g6y1kfe.fsf@nine.des.no> <CAA3htvv_DePi_A-UjtG0hvybfRSE8KgvSjq5m3yM0FGX9%2BL6QQ@mail.gmail.com> <C8D2649E-4BD0-4124-9915-CCE1DCCB1A6A@vpnc.org> <CADgEyUu%2B0_SWU08zxB9OpdLG_hTCoEB6V9vAA8=40qsH6S%2B%2BKA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Apr 10, 2014, at 12:34 PM, Nathan Dorfman <na@rtfm.net> wrote: > On Thu, Apr 10, 2014 at 10:56 AM, Paul Hoffman <paul.hoffman@vpnc.org> = wrote: >> If your reliance on OpenSSL bugs being fixed requires a fix at a rate = faster than what the FreeBSD community provides, then you should not = rely on the FreeBSD community. Install OpenSSL on your mission-critical = systems from OpenSSL source, not from FreeBSD ports or packages. >=20 > I really don't think one needs to go this far. The workaround provided > in the original OpenSSL advisory, recompiling with > -DOPENSSL_NO_HEARTBEATS, was directly applicable to FreeBSD. For > anyone unsure exactly where to effect that option, it was discussed on > this very list. Also posted on this list was a working patch > containing the actual fix, on Monday afternoon. That fixed *this* bug; earlier ones took actual patches. > So yes, if you want a fully tested, reviewed and supported fix, you > had to wait, but anyone in desperate need of an immediate fix had > options that didn't involve ditching FreeBSD's OpenSSL. I was not proposing ditching FreeBSD's OpenSSL when the next bug was = found: I was proposing that you switch at your own speed before the next = emergency. And I'm not proposing that's the best thing to do: I'm = certainly not going to, I'm quite happy with the FreeBSD response. This is a different proposal than "someone should get paid to reduce my = security timing issues". It is "I should take responsibility for my = security timing issues". --Paul Hoffman=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86C6A2FD-DA42-425C-9E49-4A959311955F>