Forums.FreeBSD.org - SSL Issue?

Mark Felder feld at FreeBSD.org
Fri May 15 16:02:48 UTC 2015



On Fri, May 15, 2015, at 10:22, Roger Marquis wrote:
> Mark Felder wrote:
> > In the future FreeBSD's base libraries like OpenSSL hopefully will be
> > private: only the base system knows they exist; no other software will
> > see them. This will mean that every port/package you install requiring
> > OpenSSL will *always* use OpenSSL from ports/packages; no conflict is
> > possible.
> 
> That's one way of approaching it but there are drawbacks to this method.
> Maintaining two sets of binaries and libraries that must be kept separate
> (using what kind of ACLs?) adds complexity.  Complexity is the enemy of
> security.
> 

It should be less complex than you're thinking. It's literally just
libraries outside the linker search path.

> Another option is a second openssl port, one that overwrites base and
> guarantees compatibility with RELEASE.  Then we could at least have all
> versions of openssl in vuln.xml (not that that's been a reliable
> indicator of security of late).
> 

This will never work. You can't guarantee compatibility with RELEASE and
upgrade it too.


More information about the freebsd-security mailing list