-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 (Adding Bryan who asked this and Ben who is the maintainer as they might have some saying here; moving to public list as there is no sensitive information in this discussion). On 04/08/14 14:29, Thierry Thomas wrote:> Hello, > > I've just rebuilt a 10-STABLE server, and now: > > $ openssl version OpenSSL 1.0.1e-freebsd 11 Feb 2013 > > Actually, delphij's commit did'nt change the VERSION string in > crypto/openssl/Makefile. > > This is not very important, but it may be confusing for users.Bryan have brought this up on IRC as well. As far as I know, for the last decade we never bump the version number when making updates, unless it's a "wholesale" upgrade of certain components in very special circumstances. I have done a quick check on Linux systems and found they don't carry a patchlevel for "openssl" either however they do provide a way to tell the patchlevel because it's a package. However, they do bump the date as part of the update. What would be the preferable way of representing the patchlevel? We can do it as part of a EN batch at later time. (Note though, even without this the user or an application can still use freebsd-version(1) on FreeBSD 10.0-RELEASE and up to find out the patchlevel for userland). Cheers, - -- Xin LI <delphij at delphij.net> https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (FreeBSD) iQIcBAEBCgAGBQJTRHyBAAoJEJW2GBstM+nspTsP/RucGMxAU6c7Bn9N0zGGWGBp mjlfTa5wlTYC+04VHX0q/LwFng+bUfPRqY3WC89VOuQkpgDgz/V/PwaZSG+92ib1 h6yQVzojOkV4vvVv2OBcfaaVUuAyIq8HGGT0gMh5wlnpoEt2k8d3GsilPU+R6jUz LQMhc07GAtUfDN7AErZ4TAsouaSQh7Z28tl7F5usel/V502jAzoA8B3qo+otRHnI DLYVSHmOAHrtCJoahC1eLm6zYdJWydyEtzUhDzNhWvGyptnQTw+KP48DoetJiVk7 06l/lODsJB9qh+A9u0ac8MAj/Zx8MTHB1cbP5yXyzr27dTzRe+pLbqqgmrKYA5Xj oQY3wumS8rAclfj7KHgZeE6ZGzp4at8pfrmuxlO/Pf8Si102kXakSoEwtUx9WU/I hgX/t6IPLhxLG7IoU/pJlETE8pAB81STOQs1QrPigK28UYhk3tc9H26TzkcfZvFz 5o86blfV0E6xdkuRUMT3i5sPj2DpHW75MTXzeM/ADdeRgdZBMW5GvDQAhtQCMQGN 1baTZjz46a3ZfJ3lJKbYGRAtGONH5QmeqfX2WlPKOf9ZrX3GMk3OSevcEEJ7QE9f ihccNQzuFMzTkFiE8WBrP5xr9YKXQdM9Uqdx/cDC/PNTnguzAon69bU9m1AJLsPv Xr3LKX5wWT83jO5WW1RX =t1w7 -----END PGP SIGNATURE-----
On Tue, Apr 08, 2014 at 15:47:29 -0700, Xin Li wrote:> What would be the preferable way of representing the patchlevel? We > can do it as part of a EN batch at later time. (Note though, even > without this the user or an application can still use > freebsd-version(1) on FreeBSD 10.0-RELEASE and up to find out the > patchlevel for userland).On an updated system: [(18:56:41) apeiron at behemoth ~] freebsd-version 10.0-STABLE [(18:56:42) apeiron at behemoth ~] freebsd-version -k 10.0-STABLE [(18:56:43) apeiron at behemoth ~] freebsd-version -u 10.0-STABLE [(18:56:47) apeiron at behemoth ~] I can't say this is very useful. Is this only supposed to work for -RELEASE? -- Chris Nehren -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 923 bytes Desc: not available URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20140408/d1fa0b47/attachment.sig>
Tue, Apr 08, 2014 at 03:47:29PM -0700, Xin Li wrote:> I have done a quick check on Linux systems and found they don't carry > a patchlevel for "openssl" either however they do provide a way to > tell the patchlevel because it's a package. However, they do bump the > date as part of the update. > > What would be the preferable way of representing the patchlevel? We > can do it as part of a EN batch at later time. (Note though, even > without this the user or an application can still use > freebsd-version(1) on FreeBSD 10.0-RELEASE and up to find out the > patchlevel for userland).I'd say that it will be good for admins to have just run 'openssl version' to determine which additional patches were applied. Since the current output is 'OpenSSL 1.0.1g-freebsd 7 Apr 2014', we probably can add the list of patches to the end of the string, e.g. making it to be {{{ OpenSSL 1.0.1g-freebsd 7 Apr 2014 patches: FreeBSD SA-14:06, CVE-20XX-NNN, etc }}} Probably this won't break most users of 'openssl version' output and will give immediate visibility of which additional patches are applied on top of the vendor source. Another option will be to add an extra command-line flag to 'openssl version', but this will be rather non-standard and FreeBSD-specific. More sane option will be to introduce another line into output of 'openssl version -a' and telling people to analyze it. My 2 cents. -- Eygene Ryabinkin ,,,^..^,,, [ Life's unfair - but root password helps! | codelabs.ru ] [ 82FE 06BC D497 C0DE 49EC 4FF0 16AF 9EAE 8152 ECFB | freebsd.org ] -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 358 bytes Desc: not available URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20140411/1e5e01ea/attachment.sig>