[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Binary patches

>Sorry, if it is obvious, but anyway: 
>Let's assume that I have production bastion host. So it shouldn't have
>nor source code neither any development tools (yeah, I'm paranoid ;)

       IMO, this is not really productive. An intruder can always
bring their own tools. You shouldn't run anything extra on a bastion
host, but tools being there isn't a big deal - If an attacker gets on
it you're dead anyway. making it difficult to administer and apply
fixes too only hurts you, not a knowledgeable attacker.

>So, how should I upgrade system to current level, or just security patches?
	Build the patches on another machine and bring them over. That's
what I'd do.