Re: OpenSSL end of life

On 06/11/14 15:59, Jonathan Anderson:
> Once we officially move to the 5-year branch lifetime

5-year ?

In such case, the content of /usr/src/contrib needs to be reevaluated 
very carefully. The OpenSSL is not only external library here ...

> It seems to me that the only solution is to remove the ABI promise on OpenSSL: move the base system's libcrypt.so into /usr/lib/private.

You are proposing to change meaning of words "patch" and "upgrade". 
Sure, if we will call some upgrades as patches, then version number 
needs not to be bumped, so we can reach the 5-year lifetime magically.

But it's just magic with the words. I prefer different approach. If we 
can't maintain 5-year lifetime, then we can't declare it just by tricks.

OK, I have no problem with such kind of black magic. As long as I know 
the meaning of the words, I can understand the sentences. I will 
translate "5-year lifetime" label to something I will understand.

Note - English is not my native language. The text above is not offense 
in any way. It explained how I understood the solution your mentioned. 
Despite I don't prefer this kind of solution, I can live with it if 
necessary.

I prefer other solution mentioned in the thread. We need to support 
particular version of OpenSSL by self during lifetime of particular release.

Despite of such self-support, I would like to recommend that OpenSSL 
releases have a lifetime declared at it's release time. It may be 
extended (by known amount of time) before expired if there will be no 
never release ready.

Dan

_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"