openssl port DEPRECATED

C

chrcol

I see since the 12 jan 2010 this port has been marked as depreciated, I assume they plan to no longer maintain the port, this is quite a major move by freebsd as numerous public facing packages depend on the port and its not impressive to revert to a base version that rarely see's updates.

For example on a 6.4 machine which is not a EOL version of bsd I have openssl 0.9.7e which is 5 years old, no problem as I install the ports version 0.9.8l which is only a couple of months old but now it seems this option will no longer be available and I cannot help thinking this is a move to try and keep people constantly updating to the latest OS version.

The side affect of this move was also to have suddenly dozens of ports refuse to upgrade as they depend on a port I got installed marked as broken.
 
Note that the port is also flagged as broken
Code: 
BROKEN=         coredumps on i386 and amd64

Your assumption that the port is or will be abandoned sounds unfounded at this point. There simply may not be time to fix the vulnerabilities, or the vulnerabilities are still being addressed by the OpenSSL authors at this point in time. A port maintainer can only work with what he's supplied with by the authors.

Interesting sidenote: I have openssl-0.9.8l_1 from ports, and it built and installed just fine on Jan 6, 2010. My OpenVPN is linked against it, and I've seen no errros.
 
chrcol said:
I assume they plan to no longer maintain the port
Click to expand...
Why would you assume that? It's depricated because that version has several vulnerabilities and it doesn't build properly on i386 and amd64.

Code: 
BROKEN=		coredumps on i386 and amd64
DEPRECATED=	has unfixed vulnerabilities

There's no newer version on the openssl site except a beta for 1.0.0. This means it's an upstream problem.
 
This is a mess.. This is one of the most important FreeBSD ports of all (unless you /really/ think the majority of BSD systems are desktops or only used via the console).

Suddenly marking it Vulnerable and Depreciated (WTF are we supposed to replace it with?) with a terse unexplanation, no attempt to announce on the Security list etc. No workarounds, no nothing.. will attract negative attention.

FreeBSD used to be a project that prided itself on it's engineering process. What I have just seen looks like the OpenSSL devs being uninformative, and the portmaintainer throwing the pram out of the window in frustration.
 
Err... Again.. It's an OpenSSL issue, NOT a FreeBSD issue.

The IETF needs to aprove this draft first. Once that's done the openssl people can start implementing it. If they release a new version it will take some time to port it over to FreeBSD.
 
Yep, looks good.

Not sure why they went through those specific steps to mark the port BROKEN/DEPRECATED for what amounts to a single day.
 
Probably to prevent people from installing a vulnerable version.
 
the problem I had was that marking it broken effectively stopped me upgrading various other ports such as php and proftpd. If that version was vulnerable why not just roll it back instead. Also why mark it as broken stating it coredumps and depreciate it? Depreciate means they plan to stop supporting it so if thats not the case it is very misleading.
 
No, 'depreciate' means to lose value. You're looking for 'deprecate' :f
 
Sometime today, yes. It usually shows up in portsnap within 24 hours (depending on the mirrors).
 
chrcol said:
If that version was vulnerable why not just roll it back instead.
Click to expand...
Because all previous versions are just as vulnerable. The vulnerability is in the protocol not the implementation.
 
SirDice said:
Because all previous versions are just as vulnerable. The vulnerability is in the protocol not the implementation.
Click to expand...

does that include the very old version in base freebsd, which the broken port would be forcing the user back to?
 
I think there were patches for the base system version, disabling the renegotiation?
 
You must log in or register to reply here.
Back
Top