Re: openssl commit

2018-03-08 Thread Hal Murray via devel
> So my opinion is that eliminating the openssl version check has only one > drawback: we lose our single possibility to influence what openssl we build > against. This /could/ have certain security implications and thus tainting > ntpsec's name. I don't think the version check is intended to ca

Re: openssl commit

2018-03-08 Thread Udo van den Heuvel via devel
On 08-03-18 21:22, Richard Laager wrote: >> Can't we simply enforce a reasonable level? (e.g. maximum of XX months >> old version of openssl) > > Probably not, as backported fixes for particular issues will not > increment the version number. But fixes by the openssl team /will/ increment the ver

Re: openssl commit

2018-03-08 Thread Richard Laager via devel
On 03/08/2018 05:06 AM, Udo van den Heuvel wrote: > Can we trust the distros to deliver openssl updates in time? Yes. If you can't trust the distro to deliver security updates, you have a serious problem that cannot be solved by ntpsec's tarball. > Can't we simply enforce a reasonable level? (e.g

Re: openssl commit

2018-03-08 Thread Udo van den Heuvel via devel
On 08-03-18 08:57, Hal Murray wrote: > Do you have a pointer to a list of the insecure versions with a summary of > the bug so we can see if we use that feature? https://www.openssl.org/news/vulnerabilities.html ? That is from the source of openssl... We also have https://www.cvedetails.com/vul

Re: openssl commit

2018-03-08 Thread Udo van den Heuvel via devel
On 08-03-18 10:57, Richard Laager via devel wrote: > On 03/08/2018 01:40 AM, Udo van den Heuvel via devel wrote: >> Why wouldn't we require a certain openssl version as there are a number >> of security vulnerabilities in (older) openssl? > > Isn't this potentially the case with any dependency? Sh

Re: openssl commit

2018-03-08 Thread Richard Laager via devel
On 03/08/2018 01:40 AM, Udo van den Heuvel via devel wrote: > Why wouldn't we require a certain openssl version as there are a number > of security vulnerabilities in (older) openssl? Isn't this potentially the case with any dependency? Shouldn't this be handled through normal update mechanisms, r

Re: openssl commit

2018-03-07 Thread Hal Murray via devel
devel@ntpsec.org said: > Why wouldn't we require a certain openssl version as there are a number of > security vulnerabilities in (older) openssl? Do you have a pointer to a list of the insecure versions with a summary of the bug so we can see if we use that feature? -- These are my opinions.