Re: scope of private libraries
On Tue, Jun 2, 2015 at 5:43 PM, Franco Fichtner fra...@lastsummer.de wrote: Hi, the general lack of responses is probably why we have the OpenSSL base issues and maybe they won’t go away anytime soon, even though there are no downsides to modularisation. Yes, anyone can submit patches, but how can potential contributors from the security domain bring in patches that elude the scope of the FreeBSD developers. How can we reason for better security under such circumstances? How can a widespread adoption of the diversity trend of crypto libraries be embraced by FreeBSD without stepping on anyone’s toes? How do we actually create the necessary awareness? How can we move from labels of “paranoid” to “secure”? The last time I tried WITHOUT_CRYPT=1 it was dysfunctional despite the fact that the flag exists for the purpose of decoupling base from crypto and being documented without the notion of having “hiccups”. And now even one dependency from the ports is what can prolong said status quo in the face of a constant stream of upcoming security advisories. On 01 Jun 2015, at 20:00, Benjamin Kaduk ka...@mit.edu wrote: On Mon, 1 Jun 2015, Franco Fichtner wrote: As a side note, does pkgng really have to depend on base OpenSSL; does it have to depend on a full-blown SSL library? Yes. Thanks for the quick answer from the source, Benjamin. It is, however, not a good reason why pkgng is dynamically linked to OpenSSL in base when e.g. sqlite and libucl are embedded to avoid chicken and egg issues. Why should OpenSSL be the exception? Because it is in base? Because it is too big? Wouldn’t it be easier to embed and deal with security issues through the ports/packages infrastructure which basically rocks? FreeBSD should put effort into getting there, eventually. That’s all I’m saying. Where do we start then? Cheers, Franco Even if the base system OpenSSL was modularized using pkg it would be still subject to ABI stability requirements. In other words it would be stuck at the version or versions that are 100% ABI compatible with one installed initially on the first minor version of the same major version line. Only critical security fixes would be backported to it exactly as it is done now with the base system OpenSSL. -Kimmo ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to freebsd-security-unsubscr...@freebsd.org
Re: scope of private libraries
On 02 Jun 2015, at 16:50, Kimmo Paasiala kpaas...@gmail.com wrote: Even if the base system OpenSSL was modularized using pkg it would be still subject to ABI stability requirements. In other words it would be stuck at the version or versions that are 100% ABI compatible with one installed initially on the first minor version of the same major version line. Only critical security fixes would be backported to it exactly as it is done now with the base system OpenSSL. OpenSSL base is only used by base, unexposed. All ports are built against OpenSSL from ports. I don’t see the ABI problem. pkgng takes care of updating shared library dependencies and ABI changes. We can already move OPNsense installations from OpenSSL to LibreSSL and back without a flinch. The real issue are hand-rolled production systems that rely on a stable crypto API because someone did not want to add a ports/packages workflow to implement proper dependency tracking. I don’t think that has worked out particularly well. ;) Cheers, Franco ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to freebsd-security-unsubscr...@freebsd.org
Re: scope of private libraries
On Mon, 1 Jun 2015, Franco Fichtner wrote: As a side note, does pkgng really have to depend on base OpenSSL; does it have to depend on a full-blown SSL library? Yes. -Ben (From IRC:) efnet / #bsddev / bjk 13:17 () In particular, Franco asked does pkg really need to depend on openssl from base? efnet / #bsddev / bjk 13:17 () To which I believe the answer is yes, but am not authoritative efnet / #bsddev / bapt 13:48 (bapt!~b...@ns3301091.ip-178-32-217.eu) bjk: I'm not reading but the answer is yes efnet / #bsddev / bapt 13:48 (bapt!~b...@ns3301091.ip-178-32-217.eu) pkg needs openssl efnet / #bsddev / bapt 13:48 (bapt!~b...@ns3301091.ip-178-32-217.eu) because of rsa keys efnet / #bsddev / bapt 13:48 (bapt!~b...@ns3301091.ip-178-32-217.eu) because of sha256 as well efnet / #bsddev / bapt 13:48 (bapt!~b...@ns3301091.ip-178-32-217.eu) well this one could be replaced by libmd but it is way slower efnet / #bsddev / bapt 13:49 (bapt!~b...@ns3301091.ip-178-32-217.eu) also without openssl no https support ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to freebsd-security-unsubscr...@freebsd.org