Date: 01 Aug 2002 01:25:08 -0400 From: Petr Swedock <petr@blade-runner.mit.edu> To: "Michael Sharp" <freebsd@ec.rr.com> Cc: <freebsd-security@FreeBSD.ORG> Subject: Re: About the openssl hole Message-ID: <86sn1znoaz.fsf@blade-runner.mit.edu> In-Reply-To: <1861.192.168.1.4.1028174757.squirrel@webmail.probsd.ws> References: <004001c237cf$23c00560$fa00a8c0@elixor> <170112657687.20020730181657@buz.ch> <000d01c237e5$ceede1d0$fa00a8c0@elixor> <5113861671.20020730183701@buz.ch> <002301c237ea$04b4d4f0$fa00a8c0@elixor> <2115515250.20020730190434@buz.ch> <3D470873.5C42BF65@pantherdragon.org> <3D47402F.83B37CBA@pantherdragon.org> <2319.192.168.1.4.1028151129.squirrel@webmail.probsd.ws> <86y9brnuzl.fsf@blade-runner.mit.edu> <1861.192.168.1.4.1028174757.squirrel@webmail.probsd.ws>
next in thread | previous in thread | raw e-mail | index | archive | help
"Michael Sharp" <freebsd@ec.rr.com> writes:
> RE: I don't follow your reasoning. I didn't know openssl was a 'core' issue
>
> I didnt say openssl is a core issue.
I'm not going to quibble, but you did say "Regarding using a port to
fix a core issue."
^^^^^^^^^^^^^
I don't point this out to flame, or score points, but only to
ensure we're talking the same language.
> I said installing a 3rd party openssl
> port that the FreeBSD hasnt audited as closely as it would the core
> openssl * sometimes * is not a good idea. Unless! Your server cant afford
> downtime ( ie its a business ), then using the port * UNTIL * core is
> fixed makes sence. But installing a port * permanetly * because you cant
> wait x number of hrs until core is patched IMHO is not a good idea.
Unless *I'm* able to audit the code to my satisfaction.
One of the things I like about FreeBSD, and one of the reasons I use
it wherever I'm able, is the ports collection. Specifically the fact
that it doesn't just import and install binaries but compiles (usually
w/out difficulty =-) under my supervision. So in this case, I have
the distinfo checksum, the source code & whatever code audit I may do,
the make and/or compiler warnings and the good industry of the ports
maintainer. I'm satisfied in that security. I think it's a good
system.
> RE:
> me: Each port/package that is installed on a FreeBSD box degrades the
> security profile in small increments.
> you: How so? I don't follow.
>
> Whats more secure, a core ONLY FreeBSD box, or a FreeBSD box with 20+ 3rd
> party ports installed?
I think that's not a good comparison. If you simply pound the keyboard
deriving 'cd /usr/ports/fu;make build; make install' and walk away...
I'll agree, that's insecure. If you install a core only FreeBSD box
and walk away leaving only the defaults... that too, is insecure.
Again, the big win with the ports collection is the ability to
supervise the compile and install (without having to build a new
Makefile for each port) and follow up on concerns. Sure it's a lot
of work, but so is re-installing. Also maintaining a certain level of
vigilance is, IMHO, much less stressful than doing a short-notice re-
install of a server under the baleful eye of users desperate to get
back to work. Been there. Done that.
Peace,
Petr
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86sn1znoaz.fsf>