A different proposal
Paul Hoffman
paul.hoffman at vpnc.org
Thu Apr 10 20:40:35 UTC 2014
On Apr 10, 2014, at 12:34 PM, Nathan Dorfman <na at rtfm.net> wrote:
> On Thu, Apr 10, 2014 at 10:56 AM, Paul Hoffman <paul.hoffman at vpnc.org> wrote:
>> If your reliance on OpenSSL bugs being fixed requires a fix at a rate faster than what the FreeBSD community provides, then you should not rely on the FreeBSD community. Install OpenSSL on your mission-critical systems from OpenSSL source, not from FreeBSD ports or packages.
>
> I really don't think one needs to go this far. The workaround provided
> in the original OpenSSL advisory, recompiling with
> -DOPENSSL_NO_HEARTBEATS, was directly applicable to FreeBSD. For
> anyone unsure exactly where to effect that option, it was discussed on
> this very list. Also posted on this list was a working patch
> containing the actual fix, on Monday afternoon.
That fixed *this* bug; earlier ones took actual patches.
> So yes, if you want a fully tested, reviewed and supported fix, you
> had to wait, but anyone in desperate need of an immediate fix had
> options that didn't involve ditching FreeBSD's OpenSSL.
I was not proposing ditching FreeBSD's OpenSSL when the next bug was found: I was proposing that you switch at your own speed before the next emergency. And I'm not proposing that's the best thing to do: I'm certainly not going to, I'm quite happy with the FreeBSD response.
This is a different proposal than "someone should get paid to reduce my security timing issues". It is "I should take responsibility for my security timing issues".
--Paul Hoffman
More information about the freebsd-security
mailing list