OpenSSL end of life

Jonathan Anderson jonathan at FreeBSD.org
Wed Jun 11 16:49:54 UTC 2014 

Dan Lukes wrote:
> In such case, the content of /usr/src/contrib needs to be reevaluated
> very carefully. The OpenSSL is not only external library here ...

OpenSSL is a bit special, though. The ABI for, e.g., jemalloc isn't 
likely to change very much upstream, nor are we likely to break it for 
security updates. If our version of OpenSSL goes EOL, however, that's 
very much a security concern.


>> It seems to me that the only solution is to remove the ABI promise on
>> OpenSSL: move the base system's libcrypt.so into /usr/lib/private.
>
> You are proposing to change meaning of words "patch" and "upgrade".
> Sure, if we will call some upgrades as patches, then version number
> needs not to be bumped
 >
 > But it's just magic with the words

It's not just wordsmithing: right now, we promise not to break the 
x/stable ABI as long as there are x.y releases. That ABI includes things 
that, realistically, we aren't in a position to maintain.

I propose that we be a bit more careful about the libraries that we're 
willing to commit to an ABI on, restricting ourselves to things that we 
are able to maintain internally as a project or where upstream changes 
don't break the ABI (e.g. an executable where the interface is the 
command line, so all we have to do is preserve existing arguments).


> Note - English is not my native language. The text above is not offense
> in any way. It explained how I understood the solution your mentioned.

Perhaps I didn't explain myself very well: I hope my proposal is clearer 
now.


> I prefer other solution mentioned in the thread. We need to support
> particular version of OpenSSL by self during lifetime of particular
> release.

Sure, we could do point patches of old OpenSSL versions as 
vulnerabilities are discovered, but who's to say that we'll hear about 
them if the upstream vendor has stopped doing security advisories? If 
everybody else has moved on from 0.9.8, who in the FreeBSD project is 
willing to take ownership of such a large and complex code base?


Jon
-- 
Jonathan Anderson
jonathan at FreeBSD.org

More information about the freebsd-security mailing list