FreeBSD Security Advisory FreeBSD-SA-05:21.openssl
marquis at roble.com
Thu Oct 13 07:57:38 PDT 2005
Giorgos Keramidas wrote:
> The alternative of manually fiddling with makefiles under /usr/src may
> be ok for hacker-style, experimental installations, where a few hours of
> breakage may be ok. This is _UNACCEPTABLE_ in a large setup.
This is one of the reasons we have continued using
OPENSSL_OVERWRITE_BASE="YES" plus WITH_OPENSSL_BASE="YES" and
keeping up-to-date via the openssl and openssh ports. These options
have saved us a _lot_ of headaches over the years despite the fact
that it is has been officially "deprecated" since 4.11 and requires
a Makefile hack.
*_OVERWRITE_BASE _should_be_a_required_option_ in _all_ ports that
are also available as base applications (sendmail/postfix, bind,
...) Either that or move these apps out of the base altogether (as
was done with Perl).
> Especially if one considers that large setups can make use of network
> booting from preinstalled images, which have been asynchronously
> updated, for any number of machines, to include the fixes.
Large setups can take advantage of many economies of scale that the
rest of us cannot. We cannot reboot client servers whenever a kernel
or OS patch comes out, much less keep a test machine around for
every arch and OS version under support.
Roble Systems Consulting
More information about the freebsd-security