On Wed, Oct 12, 2005 at 12:09:53PM +0200, jere wrote: [snip]
> And there lies another problem. In large environments it is also > difficult to manage packages security issues. The problem is updated > port tree not just necessariliy fix the security issue - it often also > bumps version of affected package - something not always needed in > production and most often avoided. The first concern of production > (enterprise or not) should be stability. If your primary concern is stability, don't upgrade the port. If your primary concern is security, then upgrade it. If you want both, be prepared to do extra work (i.e. testing the upgrade on a staging system before deployment). > For example, one can use build > server to quickly build new packages but that package may be > automatically bumped to newer version - with patched security issue and > new features added. Currently FreeBSD admins don't have a clear chioce > to manage only ports security issues but I think it's primarily due to > lack of port maintainers. You cannot expect a system where all security fixes can be automatically applied without disrupting the stability of the environment. If you want to be sure nothing breaks, you will have to test it in your specific environment, period. And you cannot expect the port maintainers to backport security fixes if the upstream provider chose to release the fix only together with a new version. cheers, t. _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[EMAIL PROTECTED]"
