Re: OpenSSL end of life

看板FB_security作者時間11年前 (2014/06/11 21:32), 編輯推噓0(000)
留言0則, 0人參與, 最新討論串3/14 (看更多)
On 06/11/14 15:00, Ben Laurie: >> Some of them wish to declare lifetime of particular version at the time of >> release. It will be possible no longer as embedded OpenSSL may become >> obsolete at any time. > > This is already true, because of bugs. And, in practice, no version of > OpenSSL (or anything else, pretty much) has a lifetime such that you > can safely make a non-upgradeable product from it. Don't mix security patch and upgrade. With security patch the ABI doesn't change. So I can just replace the compiled library by the new one patched and restart the daemon (or system). With new version, the same approach is not possible. All application needs to be recompiled. And if API become changed as well, then all applications needs to be reevaluated at the source level - and modified, if necessary according API changes. We can't just blindly compile old sources against new OpenSSL wishing for security, isn't it ? Even if the source will compile against new API, it doesn't mean it will work as expected - and - it's still secure. > Alternatively, can 9.3 not upgrade to a newer OpenSSL? Upgraded ? Yes, but upgraded to another version than 9.3 9.3 can be patched during it's lifetime, but 9.3-pX and 9.3-pY needs to be binary compatible. If it is not compatible, then it's no 9.3 anymore. > One modification I'd be prepared to contemplate is that 1.0.1 (for > example) is supported for some known period of time, even if it should > be EOL according to the versioning scheme. The question is: how long? > Sounds like you'd want 2 years. Almost acceptable for me. I wish to save 2year lifetime period for FreeBSD. It take some time the release will be prepared for release. The (possible) new version of OpenSSL needs to be imported, all code that use them needs to be re-evaluated because of possible API changes, the resulting system needs to be tested. It take months. Check release process of any FreeBSD ... If you will declare 2year minimal lifetime for OpenSSL, it will be hard to reach even 1year lifetime for FreeBSD ... So I'm wishing for something about 3 years from OpenSSL ... Be sure I understand that any version supported require resources. I'm not picking numbers randomly just because it's simple to write a number here ... Dan _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
更多 dan. 的文章
文章代碼(AID): #1Jc5fJrM (FB_security)
討論串 (同標題文章)
完整討論串 (本文為第 3 之 14 篇):
排序: 最新先 | 最舊先 | 留言數
在新視窗開啟完整討論串 (共14篇)
更多 dan. 的文章
文章代碼(AID): #1Jc5fJrM (FB_security)