On Apr 10, 2014, at 12:34 PM, Nathan Dorfman <na@rtfm.net> wrote: > On Thu, Apr 10, 2014 at 10:56 AM, Paul Hoffman <paul.hoffman@vpnc.org> wrote: >> If your reliance on OpenSSL bugs being fixed requires a fix at a rate faster than what the FreeBSD community provides, then you should not rely on the FreeBSD community. Install OpenSSL on your mission-critical systems from OpenSSL source, not from FreeBSD ports or packages. > > I really don't think one needs to go this far. The workaround provided > in the original OpenSSL advisory, recompiling with > -DOPENSSL_NO_HEARTBEATS, was directly applicable to FreeBSD. For > anyone unsure exactly where to effect that option, it was discussed on > this very list. Also posted on this list was a working patch > containing the actual fix, on Monday afternoon. That fixed *this* bug; earlier ones took actual patches. > So yes, if you want a fully tested, reviewed and supported fix, you > had to wait, but anyone in desperate need of an immediate fix had > options that didn't involve ditching FreeBSD's OpenSSL. I was not proposing ditching FreeBSD's OpenSSL when the next bug was found: I was proposing that you switch at your own speed before the next emergency. And I'm not proposing that's the best thing to do: I'm certainly not going to, I'm quite happy with the FreeBSD response. This is a different proposal than "someone should get paid to reduce my security timing issues". It is "I should take responsibility for my security timing issues". --Paul Hoffman _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"