Imminent release of 2.2.5 and 3.0.3

[Alan DeKok]

Phil Mayers wrote:
> Personally I think the LTS distros provide a really useful buffer
> between open source projects and customers. This allows the project to
> proceed at the pace they want, and LTS customers to PAY someone to do
> the boring work of keeping an older, stable version secure against newly
> discovered bugs.

  That works when they pay.  A good chunk of people don't.  Then, they
complain *here* because their 6 year-old distro still has a 10 year-old
version of FreeRADIUS.  And the "can't upgrade" because of "stability".

  Well, that's their choice.  They've chosen to have a particular
configuration, and they've chosen to not do anything about it.  But they
want it magically fixed.

> I wonder if this checking for "bad" libraries inside FR is really useful
> or appropriate, especially if it's causing you major hassles. It's not
> obvious to me why OpenSSL is special - where's the blacklist for glibc
> or libpq or $whatever? Are other projects doing this?

  There aren't massive security holes in other libraries.  I'm not sure
if other projects are doing this.  I know for my sanity, I don't want
people blaming FreeRADIUS because they've chosen to use a vulnerable
version of OpenSSL.

  Which will happen if FR doesn't check for "bad" versions of OpenSSL.

> I think you guys already do more than enough - way more than most
> projects - to provide long-term stable releases. I don't think you need
> to do more, and I certainly don't think you need to be cleaning up
> OpenSSL's mess. That way lies moral hazard!

  The code is done now.  There aren't any long-term maintenance issues.
 So I think it's fine.

  I'm more concerned with ongoing tests.  I've spent much of the last
two months adding more sanity checks to the parser, and then adding
tests for the parser and sanity checks.  That will do more than anything
else to prevent future issues.

  Alan DeKok.