Date: Wed, 12 Oct 2005 15:35:21 +0300 From: Giorgos Keramidas <keramida@freebsd.org> To: jimmy@inet-solutions.be Cc: freebsd-security@freebsd.org, jere <jere@htnet.hr> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl Message-ID: <20051012123521.GB2071@flame.pc> In-Reply-To: <1129048620.434bea2c6b7ab@webmail.boxke.be> References: <200510111202.j9BC2obf081876@freefall.freebsd.org> <1129036481.434bbac1720a6@webmail.boxke.be> <434BBF09.6040101@htnet.hr> <1129048620.434bea2c6b7ab@webmail.boxke.be>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2005-10-11 18:37, jimmy@inet-solutions.be wrote: >Quoting jere <jere@htnet.hr>: >> unfortunately, this is the dark side of FreeBSD security patch >> management :) and I think also the main reason FreeBSD isn't so widely >> deployed into enterprise environments. It's ok for hacking or managing >> few boxes but try to imagine how to manage security on hundreds of them >> this way. :( >> >> on the other side (bright side :) you can try to use unofficial and >> often somewhat slowly updating solutions such as bsdupdate >> (www.bsdupdates.com) or freebsd-update (from ports tree). >> >> currently, FreeBSD just don't have a mechanism to handle security >> advisories in quick way. >> >> any suggestions/corrections ? > > What I meant was: "why compile everything instead of just openssl" > I'm thinking about this question since the last openssl issue in FreeBSD. Because it's the easiest way (read "the most easy way to automate for thousands of machines, through a few well selected build machines") to make sure that you get *ALL* the dependencies right. The alternative of manually fiddling with makefiles under /usr/src may be ok for hacker-style, experimental installations, where a few hours of breakage may be ok. This is _UNACCEPTABLE_ in a large setup. Especially if one considers that large setups can make use of network booting from preinstalled images, which have been asynchronously updated, for any number of machines, to include the fixes. I don't see anything wrong with that.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051012123521.GB2071>