Forwarding this from freebsd-security in case anyone here can update us
regarding the status of base packaging or has URLs for projects/release-pkg.


Date: Fri, 18 Dec 2015 14:21:04 -0800 (PST)
Subject: Re: [OpenSSL] /etc/ssl/cert.pem not honoured by default

rhi wrote:
Until now, I have avoided installing the OpenSSL port because the base
OpenSSL gets security updates via freebsd-update and so it's one thing less
to care about... also, I don't like the idea of having two different
versions of the same thing on the system

A fair number of sites have this issue, particularly with ssl and ssh
binaries.  IME this one of FreeBSD's more longstanding administrative and
security weaknesses.  It is paricularly painful for those of us who have
to support a release for several years (after the last base update).

Or is it recommended to let ports use the port OpenSSL, so that base OpenSSL
is only used for the system itself?

If you need the most recent ciphers and protocols you'll normally need to
use the port.  Features are backported from the (higher) port version to
the base version i.e., without bumping the version string, however, it's
not clear whether all applications can take advantage of them.

Matthew Seaman wrote:
There are plans to make many of the base system shlibs private and that
includes switching the ports to use openssl from ports, but I don't think
any changes along those lines are really imminent.

Are you Sure?  3 months ago DES thought they'd be ready for 11:

> The plan is for 11 to have a fully packaged base system.  There should
> be some information in developer summit reports on the wiki.  The code
> is in projects/release-pkg.

However I don't see a projects/release-pkg dir in -CURRENT.

Any recommendations as to how we might help this particular effort?
_______________________________________________ mailing list
To unsubscribe, send any mail to ""

Reply via email to