From owner-freebsd-security Thu Apr 18 10:51:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id B38D137B404 for ; Thu, 18 Apr 2002 10:51:32 -0700 (PDT) Received: from caddis.yogotech.com (caddis.yogotech.com [206.127.123.130]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id LAA27544; Thu, 18 Apr 2002 11:51:28 -0600 (MDT) (envelope-from nate@yogotech.com) Received: (from nate@localhost) by caddis.yogotech.com (8.11.6/8.11.6) id g3IHpPa25838; Thu, 18 Apr 2002 11:51:25 -0600 (MDT) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15551.1949.581870.277391@caddis.yogotech.com> Date: Thu, 18 Apr 2002 11:51:25 -0600 To: Brett Glass Cc: David Wolfskill , security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip In-Reply-To: <4.3.2.7.2.20020418114128.02156980@nospam.lariat.org> References: <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <4.3.2.7.2.20020418114128.02156980@nospam.lariat.org> X-Mailer: VM 6.96 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org [ Another 'clue-by-four' that Brett can ignore again ] > >If you have systems that are that important to you -- and I do, even > >here at home -- then acquire a machine to do the builds, and then use > >some method other than "build in place" to install the result. > > That's not sufficient to ensure that you didn't pick the wrong time > to take a snapshot. Production machines must run a known good > snapshot. Pray tell who is going to very that a snapshot is both 'known and good'? Simply applying security patches doesn't (necessarily) qualify as giving you your requirement, so if you are truly concerned about your production systems, you'll need to test *any* changes made to them either on the system (and take the risk that it won't work), or setup a system like David says and do your testing/verification process on a scratch system. This ain't rocket science here.... Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message