Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl

On 2005-10-11 18:37, jimmy@inet-solutions.be wrote:
>Quoting jere <jere@htnet.hr>:
>> unfortunately, this is the dark side of FreeBSD security patch
>> management :)  and I think also the main reason FreeBSD isn't so widely
>> deployed into enterprise environments. It's ok for hacking or managing
>> few boxes but try to imagine how to manage security on hundreds of them
>> this way. :(
>>
>> on the other side (bright side :) you can try to use unofficial and
>> often somewhat slowly updating solutions such as bsdupdate
>> (www.bsdupdates.com) or freebsd-update (from ports tree).
>>
>> currently, FreeBSD just don't have a mechanism to handle security
>> advisories in quick way.
>>
>> any suggestions/corrections ?
>
> What I meant was: "why compile everything instead of just openssl"
> I'm thinking about this question since the last openssl issue in FreeBSD.

Because it's the easiest way (read "the most easy way to automate for
thousands of machines, through a few well selected build machines")
to make sure that you get *ALL* the dependencies right.

The alternative of manually fiddling with makefiles under /usr/src may
be ok for hacker-style, experimental installations, where a few hours of
breakage may be ok.  This is _UNACCEPTABLE_ in a large setup.
Especially if one considers that large setups can make use of network
booting from preinstalled images, which have been asynchronously
updated, for any number of machines, to include the fixes.

I don't see anything wrong with that.

_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"