svn commit: r264265 - in head: crypto/openssl/crypto/bn crypto/openssl/crypto/ec crypto/openssl/ssl sys/fs/nfsserver

Bryan Drewery bdrewery at FreeBSD.org
Wed Apr 9 18:07:36 UTC 2014


On 2014-04-09 09:01, Dag-Erling Smørgrav wrote:
> Bryan Drewery <bdrewery at FreeBSD.org> writes:
>> Also, that this was a partial release of 1.0.1g is confusing a LOT of
>> users. They think they are still vulnerable. They expect to see 1.0.1g
>> in 'openssl version'. We could have our own version string in 'openssl
>> version' to remedy this.
> 
> This is no different from what other OSes do, e.g. RHEL6.5:
> 
> % cat /etc/redhat-release
> Red Hat Enterprise Linux Workstation release 6.5 (Santiago)
> % openssl version
> OpenSSL 1.0.1e-fips 11 Feb 2013
> % TZ=UTC rpm -qi openssl
> Name        : openssl                      Relocations: (not 
> relocatable)
> Version     : 1.0.1e                            Vendor: Red Hat, Inc.
> Release     : 16.el6_5.7                    Build Date: Mon 07 Apr
> 2014 11:34:45 AM UTC
> Install Date: Tue 08 Apr 2014 05:18:52 AM UTC      Build Host:
> x86-027.build.eng.bos.redhat.com
> [...]
> 
> which despite the version number and date is *not* vulnerable.
> 
> DES

Yes you're right. We're not those projects though. And just because we
have "always" done something a certain way does not mean we must 
forever.

We released 2/3 of 1.0.1g to 10, 1/3 of it to previous releases. I do
recognize it was not officially 'g'. I am just giving feedback from
many confused users. Many of which were just as confused on Debian
and CentOS as well.

I often think we forget the average user's perspective.

-- 
Regards,
Bryan Drewery


More information about the svn-src-head mailing list