On 06/11/14 15:00, Ben Laurie:
Some of them wish to declare lifetime of particular version at the time of
release. It will be possible no longer as embedded OpenSSL may become
obsolete at any time.
This is already true, because of bugs. And, in practice, no version of
OpenSSL (or anything else, pretty much) has a lifetime such that you
can safely make a non-upgradeable product from it.
Don't mix security patch and upgrade. With security patch the ABI
doesn't change. So I can just replace the compiled library by the new
one patched and restart the daemon (or system).
With new version, the same approach is not possible. All application
needs to be recompiled.
And if API become changed as well, then all applications needs to be
reevaluated at the source level - and modified, if necessary according
API changes.
We can't just blindly compile old sources against new OpenSSL wishing
for security, isn't it ?
Even if the source will compile against new API, it doesn't mean it will
work as expected - and - it's still secure.
Alternatively, can 9.3 not upgrade to a newer OpenSSL?
Upgraded ? Yes, but upgraded to another version than 9.3
9.3 can be patched during it's lifetime, but 9.3-pX and 9.3-pY needs to
be binary compatible.
If it is not compatible, then it's no 9.3 anymore.
One modification I'd be prepared to contemplate is that 1.0.1 (for
example) is supported for some known period of time, even if it should
be EOL according to the versioning scheme. The question is: how long?
Sounds like you'd want 2 years.
Almost acceptable for me.
I wish to save 2year lifetime period for FreeBSD.
It take some time the release will be prepared for release. The
(possible) new version of OpenSSL needs to be imported, all code that
use them needs to be re-evaluated because of possible API changes, the
resulting system needs to be tested.
It take months. Check release process of any FreeBSD ...
If you will declare 2year minimal lifetime for OpenSSL, it will be hard
to reach even 1year lifetime for FreeBSD ...
So I'm wishing for something about 3 years from OpenSSL ...
Be sure I understand that any version supported require resources. I'm
not picking numbers randomly just because it's simple to write a number
here ...
Dan
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
