OpenSSL end of life
Constantine A. Murenin
mureninc at gmail.com
Wed Jun 11 23:21:10 UTC 2014
On 11 June 2014 06:59, Jonathan Anderson <jonathan at freebsd.org> wrote:
> Dan Lukes wrote:
>> 9.3 can be patched during it's lifetime, but 9.3-pX and 9.3-pY needs to be
>> binary compatible.
>>
>> If it is not compatible, then it's no 9.3 anymore.
>>
>>> One modification I'd be prepared to contemplate is that 1.0.1 (for
>>> example) is supported for some known period of time, even if it should
>>> be EOL according to the versioning scheme. The question is: how long?
>>> Sounds like you'd want 2 years.
>>
>> Almost acceptable for me.
>>
>> I wish to save 2year lifetime period for FreeBSD.
>
>
> Once we officially move to the 5-year branch lifetime, even a 2-year OpenSSL
> lifetime becomes problematic. It seems to me that the only solution is to
> remove the ABI promise on OpenSSL: move the base system's libcrypt.so into
> /usr/lib/private. Installed packages would have to depend on (up-to-date)
> OpenSSL from the ports tree, where 2 years might be long enough to do the
> EOL dance.
>
> The problem with this approach is that pkg itself is a package and it needs
> to verify signatures to bootstrap itself before installing any OpenSSL
> package. Perhaps we can come up with a minimal API (ideally one function)
> whose ABI we can continue to support even as we change libcrypt versions
> under the hood.
BTW, this crypto bootstrapping problem has already been addressed by
OpenBSD earlier this year through the development of a lightweight
one-algorithm-fits-all signature utility called signify(1).
http://mdoc.su/o/signify.1
http://bxr.su/o/usr.bin/signify/signify.c
http://www.tedunangst.com/flak/post/signify
http://bsd.slashdot.org/story/14/01/19/0124202/openbsd-moving-towards-signed-packages-based-on-d-j-bernstein-crypto
C.
More information about the freebsd-security
mailing list