I'm still out of town, but posted a quick news update about our status with respect to the Heartbleed security vulnerability.

Basically, in this specific case we were lucky that our FreeBSD machines all use older versions of OpenSSL. We're still continuing to investigate the issue, however, and make sure there aren't other impacts from orthogonal usages or secondary effects, etc.

First time I've heard, "Thank God we are out of date!"

hahahahah

Thanks for the update.

Nothing wrong with being out of date. Assumes your still using FreeBSD 9.x series. ;)

I'm actually a big advocate of using a robustly well-understood, tested and secure codebase, as opposed to whatever is newest. Sometimes updates include security fixes, and those are of course important (and can usually be back-propagated to secure older versions), but generally new code tends to mean new bugs, especially when it's there to enable new features. If we don't really need the new features, then I'd just as soon not have the new code.

I'm not alone in this. I understand Yahoo recently did an internal update from FreeBSD 4.

It's still totally random chance that we didn't happen to be susceptible to the Heartbleed bug, I can't really claim any kind of credit for that. But in terms of our being "out of date", yes, that was intentional.

but generally new code tends to mean new bugs, especially when it's there to enable new features. If we don't really need the new features, then I'd just as soon not have the new code.

Hehehe, I say the same about D&D 4th ed vs 3.5 ed...