Date: Fri, 26 Dec 2014 22:41:05 +0100 From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no> To: Roger Marquis <marquis@roble.com> Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:31.ntp Message-ID: <8661cy9jim.fsf@nine.des.no> In-Reply-To: <20141226200838.DE83DACE@hub.freebsd.org> (Roger Marquis's message of "Fri, 26 Dec 2014 12:08:29 -0800 (PST)") References: <20141223233310.098C54BB6@nine.des.no> <86h9wln9nw.fsf@nine.des.no> <549A5492.6000503@grosbein.net> <868uhx43i5.fsf@nine.des.no> <20141226200838.DE83DACE@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Roger Marquis <marquis@roble.com> writes: > This is most unfortunate as it creates a high bar for base security > patches at many FreeBSD shops. Sites with a significant number of > production hosts, jails and/or filesystem fingerprinting (integrit, > tripwire) or those with constrained resources are never going to be able > to make/build/installworld for something as simple as a single binary > update. These sites would be better served using freebsd-update to download and apply binary patches. Since freebsd-update is based entirely on http and on package signatures rather than server certificates, you can easily set up a proxy for systems which do not have direct Internet access. If your network is air-gapped, you can set up a few VMs with different FreeBSD versions in a DMZ to run freebsd-update through a proxy, then manually copy the contents of the proxy's cache to an http server in your secure network. > I assume the root cause is insufficient resources within the freebsd > security team. If that's the case would there be a budget estimate > associated with addressing this security advicory situation? I would suggest discussing this with the FreeBSD Foundation. They have already taken an interest in the matter. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8661cy9jim.fsf>