Roger Marquis <marquis at roble.com> writes:> This is most unfortunate as it creates a high bar for base security
> patches at many FreeBSD shops. Sites with a significant number of
> production hosts, jails and/or filesystem fingerprinting (integrit,
> tripwire) or those with constrained resources are never going to be able
> to make/build/installworld for something as simple as a single binary
> update.
These sites would be better served using freebsd-update to download and
apply binary patches. Since freebsd-update is based entirely on http
and on package signatures rather than server certificates, you can
easily set up a proxy for systems which do not have direct Internet
access. If your network is air-gapped, you can set up a few VMs with
different FreeBSD versions in a DMZ to run freebsd-update through a
proxy, then manually copy the contents of the proxy's cache to an http
server in your secure network.
> I assume the root cause is insufficient resources within the freebsd
> security team. If that's the case would there be a budget estimate
> associated with addressing this security advicory situation?
I would suggest discussing this with the FreeBSD Foundation. They have
already taken an interest in the matter.
DES
--
Dag-Erling Sm?rgrav - des at des.no