On Fri, Dec 18, 2015, at 16:21, Roger Marquis wrote: > rhi wrote: > >> Until now, I have avoided installing the OpenSSL port because the base > >> OpenSSL gets security updates via freebsd-update and so it's one thing less > >> to care about... also, I don't like the idea of having two different > >> versions of the same thing on the system > > A fair number of sites have this issue, particularly with ssl and ssh > binaries. IME this one of FreeBSD's more longstanding administrative and > security weaknesses. It is paricularly painful for those of us who have > to support a release for several years (after the last base update). > > >> Or is it recommended to let ports use the port OpenSSL, so that base > >> OpenSSL > >> is only used for the system itself? > > If you need the most recent ciphers and protocols you'll normally need to > use the port. Features are backported from the (higher) port version to > the base version i.e., without bumping the version string, however, it's > not clear whether all applications can take advantage of them. > > Matthew Seaman wrote: > > There are plans to make many of the base system shlibs private and that > > includes switching the ports to use openssl from ports, but I don't think > > any changes along those lines are really imminent. > > Are you Sure? 3 months ago DES thought they'd be ready for 11: > > > The plan is for 11 to have a fully packaged base system. There should > > be some information in developer summit reports on the wiki. The code > > is in projects/release-pkg. > > However I don't see a projects/release-pkg dir in -CURRENT. > > Any recommendations as to how we might help this particular effort? >
What do you mean? It has been there for a while https://svnweb.freebsd.org/base/projects/release-pkg/ -- Mark Felder ports-secteam member [email protected] _______________________________________________ [email protected] mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"
