On Sat, Dec 12, 2020 at 04:57:08PM -0800, John-Mark Gurney wrote:> > If FreeBSD is going to continue to use OpenSSL, better testing needs to > be done to figure out such breakage earliers, and how to not have them > go undetected for so long.I don't think anyone would argue against increasing test coverage. The most important question seems to be how to know what should be getting tested but isn't. Do you have any ideas for where to start looking? Thanks, Ben
Hi Guys, What about adopting OpenBSD's libressl? I was expecting it to take a long time to be compatible but from my uneducated point of view it looks like they did an incredible job. I think everything on OpenBSD uses it. I was running OpenBSD until I put FreeBSD 12.2 on a new box, so I haven't been looking at for a year or so. Does anybody know if this is a viable option? Can we just link against libressl or is it (much) more involved than that? /jl On Sat, 12 Dec 2020 18:07:27 -0800 Benjamin Kaduk <kaduk at mit.edu> wrote:> On Sat, Dec 12, 2020 at 04:57:08PM -0800, John-Mark Gurney wrote: > > > > If FreeBSD is going to continue to use OpenSSL, better testing > > needs to be done to figure out such breakage earliers, and how to > > not have them go undetected for so long. > > I don't think anyone would argue against increasing test coverage. > The most important question seems to be how to know what should be > getting tested but isn't. Do you have any ideas for where to start > looking? > > Thanks, > > Ben > _______________________________________________ > freebsd-security at freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe at freebsd.org"
Benjamin Kaduk wrote this message on Sat, Dec 12, 2020 at 18:07 -0800:> On Sat, Dec 12, 2020 at 04:57:08PM -0800, John-Mark Gurney wrote: > > > > If FreeBSD is going to continue to use OpenSSL, better testing needs to > > be done to figure out such breakage earliers, and how to not have them > > go undetected for so long. > > I don't think anyone would argue against increasing test coverage. > The most important question seems to be how to know what should be getting > tested but isn't. Do you have any ideas for where to start looking?Is there a CI pipeline setup for OpenSSL testing on -current and the stable branches? If so, where the results posted? Are the existing test suite being run? Why was the engine test not being run? Has that now been fixed? -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."