From owner-freebsd-security Wed Jul 31 14:40:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0101237B400 for ; Wed, 31 Jul 2002 14:40:35 -0700 (PDT) Received: from spork.pantherdragon.org (spork.pantherdragon.org [206.29.168.146]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4752743E31 for ; Wed, 31 Jul 2002 14:40:35 -0700 (PDT) (envelope-from dmp@pantherdragon.org) Received: from sparx.pantherdragon.org (evrtwa1-ar10-4-61-252-210.evrtwa1.dsl-verizon.net [4.61.252.210]) by spork.pantherdragon.org (Postfix) with ESMTP id 4004E471DC; Wed, 31 Jul 2002 14:40:34 -0700 (PDT) Received: from pantherdragon.org (speck.techno.pagans [172.21.42.2]) by sparx.pantherdragon.org (Postfix) with ESMTP id 2D35D1000D; Wed, 31 Jul 2002 14:40:33 -0700 (PDT) Message-ID: <3D485951.2C161CE6@pantherdragon.org> Date: Wed, 31 Jul 2002 14:40:33 -0700 From: Darren Pilgrim X-Mailer: Mozilla 4.76 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Michael Sharp Cc: freebsd-security@FreeBSD.ORG Subject: Re: About the openssl hole References: <004001c237cf$23c00560$fa00a8c0@elixor> <170112657687.20020730181657@buz.ch> <000d01c237e5$ceede1d0$fa00a8c0@elixor> <5113861671.20020730183701@buz.ch> <002301c237ea$04b4d4f0$fa00a8c0@elixor> <2115515250.20020730190434@buz.ch> <3D470873.5C42BF65@pantherdragon.org> <3D47402F.83B37CBA@pantherdragon.org> <2319.192.168.1.4.1028151129.squirrel@webmail.probsd.ws> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Michael Sharp wrote: > > Regarding using a port to fix a core issue. I so toatally disagree. > > Each port/package that is installed on a FreeBSD box degrades the security > profile in small increments. My thoughts, use core as much as you can, > and use ports sparingly. I had 4 services exposed to the net that relied > on the bad OpenSSL. I chose to wait out the core team to fix things. Yes, > my website might have been down for 8 hrs, mail as well.. etc... but so > what? However, I'm not a 1000 hit a day business either so I guess one > could argue the wait for core/install a port issue there. But I have found > that core typically goes right to work on a issue, and a fix is out within > hrs. This is quite true. However, the OpenSSH hooplah was proof that you can't discard using ports like this across the board. It's also proof that big bugs make big panic, which cause people to make mistakes (like fixing and unbroken OpenSSH). Now that openssl has been patched in stable, I will be cvsup'ing and rebuilding my world. I also had almost no downtime while I rebuilt my third-party stuff after going to v0.9.6e via ports. IMO, using ports like this is just like using patches on the base. Patches work well, they do the job and can mean getting something fixed a lot sooner than it would if you waited for core to merge it into the tree. Use patches too much, though, and you're going to make a mess of your system. This is why my machine is going to be doing buildworld while I'm at school tonight. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message