FreeBSD Security Advisory FreeBSD-SA-05:21.openssl
Giorgos Keramidas
keramida at freebsd.org
Wed Oct 12 05:36:35 PDT 2005
On 2005-10-11 18:37, jimmy at inet-solutions.be wrote:
>Quoting jere <jere at htnet.hr>:
>> unfortunately, this is the dark side of FreeBSD security patch
>> management :) and I think also the main reason FreeBSD isn't so widely
>> deployed into enterprise environments. It's ok for hacking or managing
>> few boxes but try to imagine how to manage security on hundreds of them
>> this way. :(
>>
>> on the other side (bright side :) you can try to use unofficial and
>> often somewhat slowly updating solutions such as bsdupdate
>> (www.bsdupdates.com) or freebsd-update (from ports tree).
>>
>> currently, FreeBSD just don't have a mechanism to handle security
>> advisories in quick way.
>>
>> any suggestions/corrections ?
>
> What I meant was: "why compile everything instead of just openssl"
> I'm thinking about this question since the last openssl issue in FreeBSD.
Because it's the easiest way (read "the most easy way to automate for
thousands of machines, through a few well selected build machines")
to make sure that you get *ALL* the dependencies right.
The alternative of manually fiddling with makefiles under /usr/src may
be ok for hacker-style, experimental installations, where a few hours of
breakage may be ok. This is _UNACCEPTABLE_ in a large setup.
Especially if one considers that large setups can make use of network
booting from preinstalled images, which have been asynchronously
updated, for any number of machines, to include the fixes.
I don't see anything wrong with that.
More information about the freebsd-security
mailing list