Giorgos Keramidas wrote:
The alternative of manually fiddling with makefiles under /usr/src may be ok for hacker-style, experimental installations, where a few hours of breakage may be ok. This is _UNACCEPTABLE_ in a large setup.
This is one of the reasons we have continued using OPENSSL_OVERWRITE_BASE="YES" plus WITH_OPENSSL_BASE="YES" and keeping up-to-date via the openssl and openssh ports. These options have saved us a _lot_ of headaches over the years despite the fact that it is has been officially "deprecated" since 4.11 and requires a Makefile hack. *_OVERWRITE_BASE _should_be_a_required_option_ in _all_ ports that are also available as base applications (sendmail/postfix, bind, ...) Either that or move these apps out of the base altogether (as was done with Perl).
Especially if one considers that large setups can make use of network booting from preinstalled images, which have been asynchronously updated, for any number of machines, to include the fixes.
Large setups can take advantage of many economies of scale that the rest of us cannot. We cannot reboot client servers whenever a kernel or OS patch comes out, much less keep a test machine around for every arch and OS version under support. -- Roger Marquis Roble Systems Consulting http://www.roble.com/ _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[EMAIL PROTECTED]"
