[buug] Convert Linux Gateway to OpenBSD

f.johan.beisser jan at caustic.org
Thu Oct 24 16:31:42 PDT 2002 

On Thu, 24 Oct 2002, Charles Howse wrote:

> >install the snapshots. upgrade when 3.2 (-stable) is released.
>
> I thought stable was where I wanted to be, rather than current.

here's the question: install a 6 month old release, go through and do a
full rebuild of ssh (due to the fact it's a vulnerable version of ssh) or
install a very stable pre-release version of -current?

i've had very few problems with the snapshot releases, far fewer with
OpenBSD-current than FreeBSD-current.

> >if the machine works, why fix it? the occasional upgrade isn't a bad
> idea,
> >doing one that's not necessary to a production machine (and that is
> what
> >this is) is foolish.
>
> Agreed, I patch my Windows box when they release a patch for an
> application that I use.

how many applications are you going to have on this machine?

unlike windows, the various unix clones tend to not have very many "life
threatening" exploits. the only things you need to worry about are feature
changes (if you even need the new feature in the first place), and remote
exploits.

the first happens rarely. if you don't require it, it's icing; excepting
those times where it makes your life much easier.

if it's a remote exploit, how you handle it is up to you. since just
about everything is turned off to begin with, i usually handle remote
exploits with "rm -f" of the vulnerable binary, and don't bother with it
from there. on the other hand, a needed daemon puts you in an unusual
position.  you have to balance the need (for example, sshd) against the
vulnerability (root access for the attacker, from a remote host); my
solution to that is simply upgrade. if the machine doesn't have a compiler
(such as poor stupid brimstone) it means i install the snapshot, and move
onward.

> It makes sense to patch the BSD box when they release a patch for an
> issue that affects me.

and, looking at the errata page on OpenBSDs site, your default install of
3.1 has: 5 patches you'd have to install to ensure a system that's
"secure" from remote attacks: 001, 006, 007, 011, 013.

of those, you actually only need 001, and 006.

> That's what I intend to do.  What is the best way to do that?

install a snapshot, and use that instead. the snapshots, as i said before,
are very stable.

your other option is to have another OpenBSD box of the same architecture,
and compile your own -stable releases.

i find the snapshots are easier to handle.

> Get the patches from 'errata' and install them manually?

that's how you usually do them. download the patch branch of the source
tree, and compile away.


-------/ f. johan beisser /--------------------------------------+
  http://caustic.org/~jan                      jan at caustic.org
	"Champagne for my real friends, real pain for
	  my sham friends." -- Tom Waits

More information about the buug mailing list