scope of private libraries
Franco Fichtner
franco at lastsummer.de
Tue Jun 2 15:16:58 UTC 2015
> On 02 Jun 2015, at 16:50, Kimmo Paasiala <kpaasial at gmail.com> wrote:
>
> Even if the base system OpenSSL was modularized using pkg it would be
> still subject to ABI stability requirements. In other words it would
> be stuck at the version or versions that are 100% ABI compatible with
> one installed initially on the first minor version of the same major
> version line. Only critical security fixes would be backported to it
> exactly as it is done now with the base system OpenSSL.
OpenSSL base is only used by base, unexposed. All ports are built
against OpenSSL from ports. I don’t see the ABI problem. pkgng
takes care of updating shared library dependencies and ABI changes.
We can already move OPNsense installations from OpenSSL to LibreSSL
and back without a flinch.
The real issue are hand-rolled production systems that rely on a
stable crypto API because someone did not want to add a ports/packages
workflow to implement proper dependency tracking. I don’t think that
has worked out particularly well. ;)
Cheers,
Franco
More information about the freebsd-security
mailing list