freebsd security - May 2015 - Forums.FreeBSD.org - SSL Issue?

On Fri, May 15, 2015, at 10:22, Roger Marquis wrote:
> Mark Felder wrote:
> > In the future FreeBSD's base libraries like OpenSSL hopefully will
be
> > private: only the base system knows they exist; no other software will
> > see them. This will mean that every port/package you install requiring
> > OpenSSL will *always* use OpenSSL from ports/packages; no conflict is
> > possible.
> 
> That's one way of approaching it but there are drawbacks to this
method.
> Maintaining two sets of binaries and libraries that must be kept separate
> (using what kind of ACLs?) adds complexity.  Complexity is the enemy of
> security.
> 
It should be less complex than you're thinking. It's literally just
libraries outside the linker search path.
> Another option is a second openssl port, one that overwrites base and
> guarantees compatibility with RELEASE.  Then we could at least have all
> versions of openssl in vuln.xml (not that that's been a reliable
> indicator of security of late).
> 
This will never work. You can't guarantee compatibility with RELEASE and
upgrade it too.

Mark Felder wrote:
>> Another option is a second openssl port, one that overwrites base and
>> guarantees compatibility with RELEASE.  Then we could at least have all
>> versions of openssl in vuln.xml (not that that's been a reliable
>> indicator of security of late).
>>
>
> This will never work. You can't guarantee compatibility with RELEASE
and
> upgrade it too.
How do you figure?  RedHat does exactly that with every backport, and
they do it for the life of a release.

Roger