Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

OpenSSL frequently hosts vulnerabilities that don't affect all users of TLS. If you pay attention to the updates (as Colin surely does), you can filter down to the updates that matter.

It's a risky thing to do if you're not willing to own those judgement calls; I wouldn't recommend that most shops do that. Among other things, you need to eyeball the diffs.



Or he is running an older version of FreeBSD that contains an older version of OpenSSL in the base.


For what it's worth: he's the former FreeBSD security officer, so I wouldn't worry too much about which version of FreeBSD he's using.


[deleted]


"Argument by authority" is not a fatal fallacy. The key insight is appealing to an irrelevant authority. For example:

    Oprah says heartbleed is not a problem.
Maybe she's right, maybe she's not. But appealing to her authority doesn't help because she's not an authority on this topic.

    Colin Percival knows a lot about FreeBSD security.
This appeal to authority is much stronger, because Colin Percival is the former FreeBSD Security Officer, runs a security-conscious SaaS, provides security review and consulting services, publishes on security matters, has corrected major companies' security errors and has developed novel cryptographic algorithms.


Maybe the more precise way to say this is that an appeal to authority isn't always fallacious.

It's especially not fallacious when the actual debate is about the person being appealed to. :)


I'm going to nitpick...

>The key insight is appealing to an irrelevant authority.

This is true, but the authority is almost never relevant to forming a valid argument. It's just a shortcut. Take the following:

"X is not Y. I am a subject expert on X and Y."

It may be true that X is not Y. It may also be true that I know everything there is to know about X and Y. However, it's a completely invalid argument. There is no evidence provided about why X is not Y.

If someone questions why is X not Y, providing more evidence of authority does not contribute to the discourse. It is definitely a fatal fallacy if you exchanging in meaningful discourse.

If you are just looking for general knowledge on topics you are vaguely familiar with, receiving knowledge backed by statements of authority is okay. But that's okay because you aren't actually arguing, you are just seeking clarification and knowledge.


It isn't that much older... stable/9 was the latest until 10 came out within the last year. The release cycle is closer to, say, Debian, than, say, Fedora.


FreeBSD 10 was just released, January 2014 if I remember correctly.


I've been hearing about it from some FreeBSDers for months before that, so I can never remember the actual release date. But I would believe you on January :).


The release was in January, but a lot of us were running Betas and Release Candidates for about three months prior to that.


JeffR sounded pretty busy with preparing those betas and RCs, iirc. ;)




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: