Forums.FreeBSD.org - SSL Issue?
Mark Felder
feld at FreeBSD.org
Fri May 15 16:02:48 UTC 2015
On Fri, May 15, 2015, at 10:22, Roger Marquis wrote:
> Mark Felder wrote:
> > In the future FreeBSD's base libraries like OpenSSL hopefully will be
> > private: only the base system knows they exist; no other software will
> > see them. This will mean that every port/package you install requiring
> > OpenSSL will *always* use OpenSSL from ports/packages; no conflict is
> > possible.
>
> That's one way of approaching it but there are drawbacks to this method.
> Maintaining two sets of binaries and libraries that must be kept separate
> (using what kind of ACLs?) adds complexity. Complexity is the enemy of
> security.
>
It should be less complex than you're thinking. It's literally just
libraries outside the linker search path.
> Another option is a second openssl port, one that overwrites base and
> guarantees compatibility with RELEASE. Then we could at least have all
> versions of openssl in vuln.xml (not that that's been a reliable
> indicator of security of late).
>
This will never work. You can't guarantee compatibility with RELEASE and
upgrade it too.
More information about the freebsd-security
mailing list