From owner-freebsd-security@FreeBSD.ORG Wed Oct 12 12:36:35 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1CD7B16A41F for ; Wed, 12 Oct 2005 12:36:35 +0000 (GMT) (envelope-from keramida@freebsd.org) Received: from kane.otenet.gr (kane.otenet.gr [195.170.0.95]) by mx1.FreeBSD.org (Postfix) with ESMTP id DFF6C43D46 for ; Wed, 12 Oct 2005 12:36:33 +0000 (GMT) (envelope-from keramida@freebsd.org) Received: from flame.pc (aris.bedc.ondsl.gr [62.103.39.226]) by kane.otenet.gr (8.13.4/8.13.4/Debian-1) with SMTP id j9CCaVXh015325; Wed, 12 Oct 2005 15:36:31 +0300 Received: from flame.pc (flame [127.0.0.1]) by flame.pc (8.13.4/8.13.4) with ESMTP id j9CCZLNp002235; Wed, 12 Oct 2005 15:35:21 +0300 (EEST) (envelope-from keramida@freebsd.org) Received: (from keramida@localhost) by flame.pc (8.13.4/8.13.4/Submit) id j9CCZLZw002234; Wed, 12 Oct 2005 15:35:21 +0300 (EEST) (envelope-from keramida@freebsd.org) Date: Wed, 12 Oct 2005 15:35:21 +0300 From: Giorgos Keramidas To: jimmy@inet-solutions.be Message-ID: <20051012123521.GB2071@flame.pc> References: <200510111202.j9BC2obf081876@freefall.freebsd.org> <1129036481.434bbac1720a6@webmail.boxke.be> <434BBF09.6040101@htnet.hr> <1129048620.434bea2c6b7ab@webmail.boxke.be> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1129048620.434bea2c6b7ab@webmail.boxke.be> X-Mailman-Approved-At: Wed, 12 Oct 2005 12:43:40 +0000 Cc: freebsd-security@freebsd.org, jere Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Oct 2005 12:36:35 -0000 On 2005-10-11 18:37, jimmy@inet-solutions.be wrote: >Quoting jere : >> unfortunately, this is the dark side of FreeBSD security patch >> management :) and I think also the main reason FreeBSD isn't so widely >> deployed into enterprise environments. It's ok for hacking or managing >> few boxes but try to imagine how to manage security on hundreds of them >> this way. :( >> >> on the other side (bright side :) you can try to use unofficial and >> often somewhat slowly updating solutions such as bsdupdate >> (www.bsdupdates.com) or freebsd-update (from ports tree). >> >> currently, FreeBSD just don't have a mechanism to handle security >> advisories in quick way. >> >> any suggestions/corrections ? > > What I meant was: "why compile everything instead of just openssl" > I'm thinking about this question since the last openssl issue in FreeBSD. Because it's the easiest way (read "the most easy way to automate for thousands of machines, through a few well selected build machines") to make sure that you get *ALL* the dependencies right. The alternative of manually fiddling with makefiles under /usr/src may be ok for hacker-style, experimental installations, where a few hours of breakage may be ok. This is _UNACCEPTABLE_ in a large setup. Especially if one considers that large setups can make use of network booting from preinstalled images, which have been asynchronously updated, for any number of machines, to include the fixes. I don't see anything wrong with that.