OpenSSL end of life
Jonathan Anderson
jonathan at FreeBSD.org
Wed Jun 11 14:00:02 UTC 2014
Dan Lukes wrote:
> 9.3 can be patched during it's lifetime, but 9.3-pX and 9.3-pY needs
to be binary compatible.
>
> If it is not compatible, then it's no 9.3 anymore.
>
>> One modification I'd be prepared to contemplate is that 1.0.1 (for
>> example) is supported for some known period of time, even if it should
>> be EOL according to the versioning scheme. The question is: how long?
>> Sounds like you'd want 2 years.
>
> Almost acceptable for me.
>
> I wish to save 2year lifetime period for FreeBSD.
Once we officially move to the 5-year branch lifetime, even a 2-year
OpenSSL lifetime becomes problematic. It seems to me that the only
solution is to remove the ABI promise on OpenSSL: move the base system's
libcrypt.so into /usr/lib/private. Installed packages would have to
depend on (up-to-date) OpenSSL from the ports tree, where 2 years might
be long enough to do the EOL dance.
The problem with this approach is that pkg itself is a package and it
needs to verify signatures to bootstrap itself before installing any
OpenSSL package. Perhaps we can come up with a minimal API (ideally one
function) whose ABI we can continue to support even as we change
libcrypt versions under the hood.
Jon
--
Jonathan Anderson
jonathan at FreeBSD.org
More information about the freebsd-security
mailing list