Matt Smith wrote: > On Jun 13 13:13, Michelle Sullivan wrote: >> Don Lewis wrote: >>> On 13 Jun, Michelle Sullivan wrote: >>> >>> >>>> SSH would be the biggie that most security departments are scared >>>> of... >>>> >>> >>> Well, ssh is available in ports, though I haven't checked to see >>> that it >>> picks up the correct version of openssl. >>> >>> >> >> Problem is it doesn't have 'overwrite base' anymore - and >> openssh-portable66 which does have overwrite base is now marked >> depreciated... which means one would have to be very careful about how >> they use SSH in production as both server and client... Server is >> easier as it has a different _enable identifier... but the client is not >> distinguishable so unless one puts /usr/local/bin in their permanent >> path as a priority over /usr/bin one will use the wrong version. >> > > I put WITHOUT_OPENSSH=yes in /etc/src.conf. Then run make delete-old > and make delete-old-libs in /usr/src. This removes the base version > which means you don't have this issue any longer. I do the same thing > with NTP and Unbound as well. > > Obviously this makes more sense if like me you do source based stuff > rather than using freebsd-update. I'm not sure if you can do similar > with binary based upgrades? >
57 servers around the world that I have to maintain, patch and upgrade at the same time as devel and maintain my applications... yeah I don't do source stuff ;-) It would be useful to have that option in freebsd-update. > The other alternatives are as you say, put /usr/local/bin before > /usr/bin in the $PATH. Or add an alias for commands like ssh to point > to the ports version. These methods aren't quite as clean though. > Not clean and very error prone... replace base was a lot cleaner and less error prone... but then you never know the people in security might surprise us and put out a version of base with openssl 1.0.2b in it - this would be a real bonus for a lot of people and take us a little bit away from debian where you can wait months/years for an update.... and then sometimes only if you upgrade your system to include features that you don't want. -- Michelle Sullivan http://www.mhix.org/ _______________________________________________ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
