Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl

From: Roger Marquis (marquis_at_roble.com)
Date: 10/13/05

  • Next message: Jacques Vidrine: "Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl" 
    Date: Thu, 13 Oct 2005 07:57:37 -0700 (PDT)
To: freebsd-security@freebsd.org

    Giorgos Keramidas wrote:
    > The alternative of manually fiddling with makefiles under /usr/src may
    > be ok for hacker-style, experimental installations, where a few hours of
    > breakage may be ok. This is _UNACCEPTABLE_ in a large setup.

    This is one of the reasons we have continued using
    OPENSSL_OVERWRITE_BASE="YES" plus WITH_OPENSSL_BASE="YES" and
    keeping up-to-date via the openssl and openssh ports. These options
    have saved us a _lot_ of headaches over the years despite the fact
    that it is has been officially "deprecated" since 4.11 and requires
    a Makefile hack.

    *_OVERWRITE_BASE _should_be_a_required_option_ in _all_ ports that
    are also available as base applications (sendmail/postfix, bind,
    ...) Either that or move these apps out of the base altogether (as
    was done with Perl).

    > Especially if one considers that large setups can make use of network
    > booting from preinstalled images, which have been asynchronously
    > updated, for any number of machines, to include the fixes.

    Large setups can take advantage of many economies of scale that the
    rest of us cannot. We cannot reboot client servers whenever a kernel
    or OS patch comes out, much less keep a test machine around for
    every arch and OS version under support. 

    -- 
Roger Marquis
Roble Systems Consulting
http://www.roble.com/
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
  • Next message: Jacques Vidrine: "Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl"