Dan Lukes wrote: > 9.3 can be patched during it's lifetime, but 9.3-pX and 9.3-pY needs to be binary compatible. > > If it is not compatible, then it's no 9.3 anymore. > >> One modification I'd be prepared to contemplate is that 1.0.1 (for >> example) is supported for some known period of time, even if it should >> be EOL according to the versioning scheme. The question is: how long? >> Sounds like you'd want 2 years. > > Almost acceptable for me. > > I wish to save 2year lifetime period for FreeBSD. Once we officially move to the 5-year branch lifetime, even a 2-year OpenSSL lifetime becomes problematic. It seems to me that the only solution is to remove the ABI promise on OpenSSL: move the base system's libcrypt.so into /usr/lib/private. Installed packages would have to depend on (up-to-date) OpenSSL from the ports tree, where 2 years might be long enough to do the EOL dance. The problem with this approach is that pkg itself is a package and it needs to verify signatures to bootstrap itself before installing any OpenSSL package. Perhaps we can come up with a minimal API (ideally one function) whose ABI we can continue to support even as we change libcrypt versions under the hood. Jon -- Jonathan Anderson jonathan@FreeBSD.org _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"