freebsd security - Apr 2006 - [RFC] Ideas and Questions in security updates ( portaudit, freebsd-update)

Hi all,

        I use FreeBSD for severals years and this Project now have a
possibility the full security update (src) with
freebsd-update, is really great for Release users but is break for Stable
user.
        Ok !!! Exist a possibility for apply manual patch and compile issue,
but for me problem existe in fix kernel issue in stable branch because is
require a update for last stable and this result in {make
buildworld,kernel,installworld) large time for correct a security issue,
in  large enviroment with jails and critical applications like
administrative ldap e high webservers.
        Correct issue in large enviroment is a tormento, and result in full
downtime, what the recomendation for security update in large enviroment
with jail ?
        About Ports security issues, one idea is integrate portaudit and
portupgrade or create another tool for update ports,
this ideia is based in Gentoo glsa-check
( http://www.gentoo.org/doc/en/security/security-handbook.xml?part=1&chap=14
)



Thanks for Attention and sorry for my bad english.

Ricardo A. Reis
UNIFESP
Unix and Network Admin

		
_______________________________________________________ 
Abra sua conta no Yahoo! Mail: 1GB de espa?o, alertas de e-mail no celular e
anti-spam realmente eficaz.
http://br.info.mail.yahoo.com/

On Mon, 2006-04-10 at 16:03 -0300, Ricardo A. Reis
wrote:
> Hi all,
> <snip>
>         About Ports security issues, one idea is integrate portaudit and
> portupgrade or create another tool for update ports,
> this ideia is based in Gentoo glsa-check
> (
http://www.gentoo.org/doc/en/security/security-handbook.xml?part=1&chap=14
> )
> 
I recently saw glsa-check while talking to a Gentoo dev at Linux World
this past week.  It's very nice but does not fit in with our tree and
updating model.  Gentoo supports updating individual ports while leaving
other ports on the system untouched.  We do not support this sort of
updating model.  To get security updates for the FreeBSD collection you
have one of two options.  Either A) follow the recommended procedure and
update all ports when a security issue for one arises or B) backport
patches yourself and support all potential problems yourself.

Tom
> 
> 
> Thanks for Attention and sorry for my bad english.
> 
> Ricardo A. Reis
> UNIFESP
> Unix and Network Admin
-- 
| tmclaugh at sdf.lonestar.org             tmclaugh at FreeBSD.org |
| FreeBSD                                   http://www.FreeBSD.org |
| BSD#                    http://www.mono-project.com/Mono:FreeBSD |