scope of private libraries

Franco Fichtner franco at lastsummer.de
Tue Jun 2 15:16:58 UTC 2015


> On 02 Jun 2015, at 16:50, Kimmo Paasiala <kpaasial at gmail.com> wrote:
> 
> Even if the base system OpenSSL was modularized using pkg it would be
> still subject to ABI stability requirements. In other words it would
> be stuck at the version or versions that are 100% ABI compatible with
> one installed initially on the first minor version of the same major
> version line. Only critical security fixes would be backported to it
> exactly as it is done now with the base system OpenSSL.

OpenSSL base is only used by base, unexposed.  All ports are built
against OpenSSL from ports.  I don’t see the ABI problem.  pkgng
takes care of updating shared library dependencies and ABI changes.
We can already move OPNsense installations from OpenSSL to LibreSSL
and back without a flinch.

The real issue are hand-rolled production systems that rely on a
stable crypto API because someone did not want to add a ports/packages
workflow to implement proper dependency tracking.  I don’t think that
has worked out particularly well.  ;)


Cheers,
Franco


More information about the freebsd-security mailing list