On Fri, Dec 18, 2015, at 16:21, Roger Marquis wrote:> rhi wrote:
> >> Until now, I have avoided installing the OpenSSL port because the
base
> >> OpenSSL gets security updates via freebsd-update and so it's
one thing less
> >> to care about... also, I don't like the idea of having two
different
> >> versions of the same thing on the system
>
> A fair number of sites have this issue, particularly with ssl and ssh
> binaries. IME this one of FreeBSD's more longstanding administrative
and
> security weaknesses. It is paricularly painful for those of us who have
> to support a release for several years (after the last base update).
>
> >> Or is it recommended to let ports use the port OpenSSL, so that
base OpenSSL
> >> is only used for the system itself?
>
> If you need the most recent ciphers and protocols you'll normally need
to
> use the port. Features are backported from the (higher) port version to
> the base version i.e., without bumping the version string, however,
it's
> not clear whether all applications can take advantage of them.
>
> Matthew Seaman wrote:
> > There are plans to make many of the base system shlibs private and
that
> > includes switching the ports to use openssl from ports, but I
don't think
> > any changes along those lines are really imminent.
>
> Are you Sure? 3 months ago DES thought they'd be ready for 11:
>
> > The plan is for 11 to have a fully packaged base system. There
should
> > be some information in developer summit reports on the wiki. The
code
> > is in projects/release-pkg.
>
> However I don't see a projects/release-pkg dir in -CURRENT.
>
> Any recommendations as to how we might help this particular effort?
>
What do you mean? It has been there for a while
https://svnweb.freebsd.org/base/projects/release-pkg/
--
Mark Felder
ports-secteam member
feld at FreeBSD.org