Re: OpenSSL end of life

Dan Lukes wrote:
 > 9.3 can be patched during it's lifetime, but 9.3-pX and 9.3-pY needs 
to be binary compatible.
 >
 > If it is not compatible, then it's no 9.3 anymore.
 >
 >> One modification I'd be prepared to contemplate is that 1.0.1 (for
 >> example) is supported for some known period of time, even if it should
 >> be EOL according to the versioning scheme. The question is: how long?
 >> Sounds like you'd want 2 years.
 >
 > Almost acceptable for me.
 >
 > I wish to save 2year lifetime period for FreeBSD.

Once we officially move to the 5-year branch lifetime, even a 2-year 
OpenSSL lifetime becomes problematic. It seems to me that the only 
solution is to remove the ABI promise on OpenSSL: move the base system's 
libcrypt.so into /usr/lib/private. Installed packages would have to 
depend on (up-to-date) OpenSSL from the ports tree, where 2 years might 
be long enough to do the EOL dance.

The problem with this approach is that pkg itself is a package and it 
needs to verify signatures to bootstrap itself before installing any 
OpenSSL package. Perhaps we can come up with a minimal API (ideally one 
function) whose ABI we can continue to support even as we change 
libcrypt versions under the hood.

Jon
-- 
Jonathan Anderson
jonathan@FreeBSD.org
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"