-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hej Bob,
Bob Beck wrote: > > In my experience it's simple. Generally speaking, not installing a > compiler makes the system less secure. Why? real easy. Most systems I > have ever seen without a compiler has software running on it that is > behind on it's updates. When you ask the system administrator why, it > is "Oh I don't have the compiler installed" > Nah, I have to disagree. A production system shouldn't spend its time compiling software (to provide security updates). In a bigger environment (say 1000 servers) I will have a build system which compiles all the stuff needed for updating the servers. Hence I don't need / want a compiler on my production servers. > Not giving the system administrator the tools to install > security updates is a reciepe for a less secure system. That's true. However, see my statement above :) It's a waste of cpu time to do compiling on a server which is actually busy providing a database or having an apache up 'n running. > > Meanwhile, and attacker, if they need something compiled, > can simply compile elsewhere and bring it in, or install the tool > once the box is owned. True. I never argued against that :) > > -Bob > > (Yes there are exceptions to this if you have some other sort of > update mechanism in place, blah blah blah. 90% of people don't, You simply want binary updates. If I would tell my boss, that we need n more servers, because they're busying all compiling the same stuff for them selves... well, I can imagine what answer I would get ;) > because they run openbsd and "never need to patch it", but then run > "other" dubious stuff out of /usr/local/ and should be..) then this other stuff should be compiled centrally on a build server. ./Marian iD8DBQFEV3gngAq87Uq5FMsRAn2yAJ90ErA0XjQJpch5H+EMoiKWXUvmCwCg3i3u NfRbsN5ZyQPqrjcTtMTEOwc= =teWZ -----END PGP SIGNATURE-----
