On Fri, May 15, 2015, at 10:22, Roger Marquis wrote: > Mark Felder wrote: > > In the future FreeBSD's base libraries like OpenSSL hopefully will be > > private: only the base system knows they exist; no other software will > > see them. This will mean that every port/package you install requiring > > OpenSSL will *always* use OpenSSL from ports/packages; no conflict is > > possible. > > That's one way of approaching it but there are drawbacks to this method. > Maintaining two sets of binaries and libraries that must be kept separate > (using what kind of ACLs?) adds complexity. Complexity is the enemy of > security. >
It should be less complex than you're thinking. It's literally just libraries outside the linker search path. > Another option is a second openssl port, one that overwrites base and > guarantees compatibility with RELEASE. Then we could at least have all > versions of openssl in vuln.xml (not that that's been a reliable > indicator of security of late). > This will never work. You can't guarantee compatibility with RELEASE and upgrade it too. _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
