Forwarding this from freebsd-security in case anyone here can update us regarding the status of base packaging or has URLs for projects/release-pkg. Roger >Date: Fri, 18 Dec 2015 14:21:04 -0800 (PST) >To: freebsd-security_at_freebsd.org >Subject: Re: [OpenSSL] /etc/ssl/cert.pem not honoured by default > >rhi wrote: >>> Until now, I have avoided installing the OpenSSL port because the base >>> OpenSSL gets security updates via freebsd-update and so it's one thing less >>> to care about... also, I don't like the idea of having two different >>> versions of the same thing on the system > >A fair number of sites have this issue, particularly with ssl and ssh >binaries. IME this one of FreeBSD's more longstanding administrative and >security weaknesses. It is paricularly painful for those of us who have >to support a release for several years (after the last base update). > >>> Or is it recommended to let ports use the port OpenSSL, so that base OpenSSL >>> is only used for the system itself? > >If you need the most recent ciphers and protocols you'll normally need to >use the port. Features are backported from the (higher) port version to >the base version i.e., without bumping the version string, however, it's >not clear whether all applications can take advantage of them. > >Matthew Seaman wrote: >> There are plans to make many of the base system shlibs private and that >> includes switching the ports to use openssl from ports, but I don't think >> any changes along those lines are really imminent. > >Are you Sure? 3 months ago DES thought they'd be ready for 11: > > > The plan is for 11 to have a fully packaged base system. There should > > be some information in developer summit reports on the wiki. The code > > is in projects/release-pkg. > >However I don't see a projects/release-pkg dir in -CURRENT. > >Any recommendations as to how we might help this particular effort?Received on Fri Dec 18 2015 - 22:21:14 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:01 UTC