Date: Thu, 1 Aug 2002 00:05:57 -0400 (EDT) From: "Michael Sharp" <freebsd@ec.rr.com> To: <petr@blade-runner.mit.edu> Cc: <freebsd-security@FreeBSD.ORG> Subject: Re: About the openssl hole Message-ID: <1861.192.168.1.4.1028174757.squirrel@webmail.probsd.ws> In-Reply-To: <86y9brnuzl.fsf@blade-runner.mit.edu> References: <004001c237cf$23c00560$fa00a8c0@elixor> <170112657687.20020730181657@buz.ch> <000d01c237e5$ceede1d0$fa00a8c0@elixor> <5113861671.20020730183701@buz.ch> <002301c237ea$04b4d4f0$fa00a8c0@elixor> <2115515250.20020730190434@buz.ch> <3D470873.5C42BF65@pantherdragon.org> <3D47402F.83B37CBA@pantherdragon.org> <2319.192.168.1.4.1028151129.squirrel@webmail.probsd.ws> <86y9brnuzl.fsf@blade-runner.mit.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
RE: I don't follow your reasoning. I didn't know openssl was a 'core' issue I didnt say openssl is a core issue. I said installing a 3rd party openssl port that the FreeBSD hasnt audited as closely as it would the core openssl * sometimes * is not a good idea. Unless! Your server cant afford downtime ( ie its a business ), then using the port * UNTIL * core is fixed makes sence. But installing a port * permanetly * because you cant wait x number of hrs until core is patched IMHO is not a good idea. RE: me: Each port/package that is installed on a FreeBSD box degrades the security profile in small increments. you: How so? I don't follow. Whats more secure, a core ONLY FreeBSD box, or a FreeBSD box with 20+ 3rd party ports installed? RE: Downtime is a luxury few have. A luxury I certainly don't enjoy. See my first statement... Unless! ... RE: I don't see why installing the openssh ports isn't a fix. From the FreeBSD Website.. " While the port maintainers make every reasonable effort to ensure that ports are safe... they DO NOT go thru the same stringent security audits that FreeBSD core does. " Maybe I'm missing something, but installing a port to apply a fix to a broken core issue IMHO isnt good, unless ... as in what we just saw with openssl... core is vulnerable, and the port isnt... installing the port until core is fixed makes since. Michael > "Michael Sharp" <freebsd@ec.rr.com> writes: > >> Regarding using a port to fix a core issue. I so toatally disagree. > > I don't follow your reasoning. I didn't know openssl was a 'core' > issue. > >> Each port/package that is installed on a FreeBSD box degrades the >> security profile in small increments. > > How so? I don't follow. > >> My thoughts, use core as much as you can, >> and use ports sparingly. I had 4 services exposed to the net that >> relied on the bad OpenSSL. I chose to wait out the core team to fix >> things. Yes, my website might have been down for 8 hrs, mail as well.. >> etc... but so what? > > Downtime is a luxury few have. A luxury I certainly don't enjoy. > >> However, I'm not a 1000 hit a day business either so I guess one could >> argue the wait for core/install a port issue there. But I have found >> that core typically goes right to work on a issue, and a fix is out >> within hrs. > > I don't see why installing the openssh ports isn't a fix. > > Peace, > > Petr > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1861.192.168.1.4.1028174757.squirrel>