[Freeswitch-dev] VoIP Security

Michael Jerris mike at jerris.com
Fri Apr 4 19:41:58 MSD 2014


To be clear, I'm not advocating carrying around older libraries, but I am strongly advocating using a distro that is not based on package versions from 5+ years ago or a distro that is no longer actively maintained if you want any sense of stability or security.  There are many fixes that come in the form of new API's that simply are not possible to backport, or major fixes that do not meet the requirements for backport in other ways.  Using centos5 for example will become much much more difficult for the user in future freeswitch 1.4 releases because freeswitch simply needs capabilities added to libraries within the last 5 years, that are just not readily available on centos5.  This will require users to manually install more recent versions of libraries to meet dependency requirements, which of course negates all of the reasons you use a distro in the first place.

Mike

On Apr 4, 2014, at 11:30 AM, R P Herrold <herrold at owlriver.com> wrote:

> On Fri, 4 Apr 2014, R P Herrold wrote:
> 
> Following on myself, this paper [1] touches on similar issues 
> which are uncovered in current Open Source crypto libraries 
> and tools
> 
> I know there was a comment in the JIRA [2] distrusting whether 
> enerprise vendors backport security fixes.  I strongly 
> disagree with that view.  Certainly the upstream of CentOS is 
> quite good about issuing prompt fixes which backport into a 
> stable API, and moving away from locally carried libraries is 
> a good way to get securitry updates, 'for free' into 
> FreeSwitch, compared to using old 'carried around' tarballs of 
> indeterminate security
> 
> -- Russ herrold
> 
> [1] https://www.cs.utexas.edu/~shmat/shmat_oak14.pdf
> [2] https://jira.freeswitch.org/browse/FS-353
> 
> 
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
> 
> 
> 
> 
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
> 
> FreeSWITCH-dev mailing list
> FreeSWITCH-dev at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-dev
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-dev
> http://www.freeswitch.org




Join us at ClueCon 2013 Aug 6-8, 2013
More information about the FreeSWITCH-dev mailing list