Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl

On Wed, Oct 12, 2005 at 12:09:53PM +0200, jere wrote:

[snip]

> And there lies another problem. In large environments it is also 
> difficult to manage packages security issues. The problem is updated 
> port tree not just necessariliy fix the security issue - it often also 
> bumps version of affected package - something not always needed in 
> production and most often avoided. The first concern of production 
> (enterprise or not) should be stability.

If your primary concern is stability, don't upgrade the port. If your
primary concern is security, then upgrade it. If you want both, be
prepared to do extra work (i.e. testing the upgrade on a staging
system before deployment).

> For example, one can use build 
> server to quickly build new packages but that package may be 
> automatically bumped to newer version - with patched security issue and 
> new features added. Currently FreeBSD admins don't have a clear chioce 
> to manage only ports security issues but I think it's primarily due to 
> lack of port maintainers.

You cannot expect a system where all security fixes can be automatically
applied without disrupting the stability of the environment. If you
want to be sure nothing breaks, you will have to test it in your
specific environment, period. And you cannot expect the port maintainers
to backport security fixes if the upstream provider chose to release the
fix only together with a new version.

cheers, t.
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"