base components should always be default (Re: change in default openssl coming)

Xin Li delphij at
Sat Jul 9 07:34:06 UTC 2016

On 7/8/16 12:20, Grzegorz Junka wrote:
> The only reason I heard why base isn't updated with the proper package
> from ports is because of security implications. Older versions are more
> security-tested and therefore safer. If there is a vulnerability in the
> base it's much more hassle to update the base than ports.

Not necessarily safer -- for instance on FreeBSD 9.x the base system
OpenSSL is EoL'ed by upstream, and therefore the security fixes are
backported by secteam@ in a case-by-case manner.  Generally speaking,
newer code is safer and supports newer standards, and we recommend ALL
users who are still on FreeBSD 9.x to use port version of OpenSSL.

The only possible problem with defaulting to port OpenSSL that I can
think of is some DLL hell style issue.  If a base system library links
against OpenSSL, then gets linked into port binary which links to port
OpenSSL, we may see problems.  For instance, some utilities depends on
libarchive, libarchive depends on libcrypto (OpenSSL).  If it loads a
OpenLDAP client (i.e. through a NSS module), that depends on port
version of libcrypto, there _may_ be problems.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the freebsd-ports mailing list