First, the (unfortunately) necessary disclaimer: this is an honest question to satisfy my curiosity, nothing more. Absolutely no criticism of anyone is intended.
Is it implausible to suggest that before embarking on the task of backporting, reviewing, testing and releasing the actual fix, an announcement could have been made immediately with the much simpler workaround of adding -DOPENSSL_NO_HEARTBEATS to the OpenSSL compiler flags? Given the severity of the issue, it doesn't seem that an immediate advisory stating "here's an immediate workaround, a full fix will be coming in the next day or two" would be terribly inappropriate. Perhaps this workaround would have required more testing than I imagine, but surely it'd be a tiny fraction of the time required to release the full fix? While I'm out here drawing fire, I might as well also ask if I'm crazy to think that it might be a good idea for the base system OpenSSL (and other third party imports) to just disable any and all non-essential functionality that can be disabled at compile time? Non-essential meaning everything not required for the base system to function -- there's always the ports version if anyone needs more. Thanks for your thoughts, and of course, your ongoing efforts. They are much appreciated. -nd. _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
