Roger Marquis <marq...@roble.com> writes: > This is most unfortunate as it creates a high bar for base security > patches at many FreeBSD shops. Sites with a significant number of > production hosts, jails and/or filesystem fingerprinting (integrit, > tripwire) or those with constrained resources are never going to be able > to make/build/installworld for something as simple as a single binary > update.
These sites would be better served using freebsd-update to download and apply binary patches. Since freebsd-update is based entirely on http and on package signatures rather than server certificates, you can easily set up a proxy for systems which do not have direct Internet access. If your network is air-gapped, you can set up a few VMs with different FreeBSD versions in a DMZ to run freebsd-update through a proxy, then manually copy the contents of the proxy's cache to an http server in your secure network. > I assume the root cause is insufficient resources within the freebsd > security team. If that's the case would there be a budget estimate > associated with addressing this security advicory situation? I would suggest discussing this with the FreeBSD Foundation. They have already taken an interest in the matter. DES -- Dag-Erling Smørgrav - d...@des.no _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
