Forums.FreeBSD.org - SSL Issue?
Roger Marquis
marquis at roble.com
Fri May 15 15:22:15 UTC 2015
Mark Felder wrote:
> In the future FreeBSD's base libraries like OpenSSL hopefully will be
> private: only the base system knows they exist; no other software will
> see them. This will mean that every port/package you install requiring
> OpenSSL will *always* use OpenSSL from ports/packages; no conflict is
> possible.
That's one way of approaching it but there are drawbacks to this method.
Maintaining two sets of binaries and libraries that must be kept separate
(using what kind of ACLs?) adds complexity. Complexity is the enemy of
security.
Another option is a second openssl port, one that overwrites base and
guarantees compatibility with RELEASE. Then we could at least have all
versions of openssl in vuln.xml (not that that's been a reliable
indicator of security of late).
Roger Marquis
More information about the freebsd-security
mailing list