Phil Mayers wrote:
Personally I think the LTS distros provide a really useful buffer between open source projects and customers. This allows the project to proceed at the pace they want, and LTS customers to PAY someone to do the boring work of keeping an older, stable version secure against newly discovered bugs.
That works when they pay. A good chunk of people don't. Then, they complain *here* because their 6 year-old distro still has a 10 year-old version of FreeRADIUS. And the "can't upgrade" because of "stability". Well, that's their choice. They've chosen to have a particular configuration, and they've chosen to not do anything about it. But they want it magically fixed.
I wonder if this checking for "bad" libraries inside FR is really useful or appropriate, especially if it's causing you major hassles. It's not obvious to me why OpenSSL is special - where's the blacklist for glibc or libpq or $whatever? Are other projects doing this?
There aren't massive security holes in other libraries. I'm not sure if other projects are doing this. I know for my sanity, I don't want people blaming FreeRADIUS because they've chosen to use a vulnerable version of OpenSSL. Which will happen if FR doesn't check for "bad" versions of OpenSSL.
I think you guys already do more than enough - way more than most projects - to provide long-term stable releases. I don't think you need to do more, and I certainly don't think you need to be cleaning up OpenSSL's mess. That way lies moral hazard!
The code is done now. There aren't any long-term maintenance issues. So I think it's fine. I'm more concerned with ongoing tests. I've spent much of the last two months adding more sanity checks to the parser, and then adding tests for the parser and sanity checks. That will do more than anything else to prevent future issues. Alan DeKok.