From owner-freebsd-security Wed Jul 31 20:24:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E117437B401 for ; Wed, 31 Jul 2002 20:24:21 -0700 (PDT) Received: from blade-runner.mit.edu (BLADE-RUNNER.MIT.EDU [18.78.0.22]) by mx1.FreeBSD.org (Postfix) with ESMTP id F384D4432E for ; Wed, 31 Jul 2002 20:09:26 -0700 (PDT) (envelope-from petr@blade-runner.mit.edu) Received: from blade-runner.mit.edu (localhost [127.0.0.1]) by blade-runner.mit.edu (8.12.5/8.12.5) with ESMTP id g7130ljj005269; Wed, 31 Jul 2002 23:00:47 -0400 (EDT) (envelope-from petr@blade-runner.mit.edu) Received: (from petr@localhost) by blade-runner.mit.edu (8.12.5/8.12.5/Submit) id g7130laU005266; Wed, 31 Jul 2002 23:00:47 -0400 (EDT) To: "Michael Sharp" Cc: , Subject: Re: About the openssl hole References: <004001c237cf$23c00560$fa00a8c0@elixor> <170112657687.20020730181657@buz.ch> <000d01c237e5$ceede1d0$fa00a8c0@elixor> <5113861671.20020730183701@buz.ch> <002301c237ea$04b4d4f0$fa00a8c0@elixor> <2115515250.20020730190434@buz.ch> <3D470873.5C42BF65@pantherdragon.org> <3D47402F.83B37CBA@pantherdragon.org> <2319.192.168.1.4.1028151129.squirrel@webmail.probsd.ws> From: Petr Swedock Date: 31 Jul 2002 23:00:46 -0400 In-Reply-To: <2319.192.168.1.4.1028151129.squirrel@webmail.probsd.ws> Message-ID: <86y9brnuzl.fsf@blade-runner.mit.edu> Lines: 33 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Michael Sharp" writes: > Regarding using a port to fix a core issue. I so toatally disagree. I don't follow your reasoning. I didn't know openssl was a 'core' issue. > Each port/package that is installed on a FreeBSD box degrades the security > profile in small increments. How so? I don't follow. > My thoughts, use core as much as you can, > and use ports sparingly. I had 4 services exposed to the net that relied > on the bad OpenSSL. I chose to wait out the core team to fix things. Yes, > my website might have been down for 8 hrs, mail as well.. etc... but so > what? Downtime is a luxury few have. A luxury I certainly don't enjoy. > However, I'm not a 1000 hit a day business either so I guess one > could argue the wait for core/install a port issue there. But I have found > that core typically goes right to work on a issue, and a fix is out within > hrs. I don't see why installing the openssh ports isn't a fix. Peace, Petr To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message