Date: Wed, 31 Jul 2002 14:40:33 -0700 From: Darren Pilgrim <dmp@pantherdragon.org> To: Michael Sharp <freebsd@ec.rr.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: About the openssl hole Message-ID: <3D485951.2C161CE6@pantherdragon.org> References: <004001c237cf$23c00560$fa00a8c0@elixor> <170112657687.20020730181657@buz.ch> <000d01c237e5$ceede1d0$fa00a8c0@elixor> <5113861671.20020730183701@buz.ch> <002301c237ea$04b4d4f0$fa00a8c0@elixor> <2115515250.20020730190434@buz.ch> <3D470873.5C42BF65@pantherdragon.org> <3D47402F.83B37CBA@pantherdragon.org> <2319.192.168.1.4.1028151129.squirrel@webmail.probsd.ws>
next in thread | previous in thread | raw e-mail | index | archive | help
Michael Sharp wrote: > > Regarding using a port to fix a core issue. I so toatally disagree. > > Each port/package that is installed on a FreeBSD box degrades the security > profile in small increments. My thoughts, use core as much as you can, > and use ports sparingly. I had 4 services exposed to the net that relied > on the bad OpenSSL. I chose to wait out the core team to fix things. Yes, > my website might have been down for 8 hrs, mail as well.. etc... but so > what? However, I'm not a 1000 hit a day business either so I guess one > could argue the wait for core/install a port issue there. But I have found > that core typically goes right to work on a issue, and a fix is out within > hrs. This is quite true. However, the OpenSSH hooplah was proof that you can't discard using ports like this across the board. It's also proof that big bugs make big panic, which cause people to make mistakes (like fixing and unbroken OpenSSH). Now that openssl has been patched in stable, I will be cvsup'ing and rebuilding my world. I also had almost no downtime while I rebuilt my third-party stuff after going to v0.9.6e via ports. IMO, using ports like this is just like using patches on the base. Patches work well, they do the job and can mean getting something fixed a lot sooner than it would if you waited for core to merge it into the tree. Use patches too much, though, and you're going to make a mess of your system. This is why my machine is going to be doing buildworld while I'm at school tonight. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D485951.2C161CE6>