I’m wondering how others are handling this scenario. A baseline is created and applied to set of DEV systems. 1 week later the same baseline is applied to a QA/UAT/Test environment and then finally another week passes and we’re ready to deploy to PROD. If prior to prod deployment a fixlet is out of sync do you sync it? I ask because we want the exact same patch deployed in dev/test that we deploy to prod. Is there harm in deploying a fixlet that is out of sync?
thanks!
I think it will depend on what fixlet is out of sync and why it had been modified. The majority of patch fixlets are updated by IBM to resolve false positive or false negative so by not syncing the fixlet in the baseline, the baseline may continue to report relevant or not relevant for the fixlet within the baseline. We keep our baselines in sync as the fixlet changes are mostly the detection, not the binary patch so only the detection is changed, not the update that is getting applied to the endpoints.
Thanks for the detailed response.
I’ve always been on the fence about this as well. Because of it typically fixing false positives as was mentioned, I normally sync those in the baseline, but I don’t want to sync ones that have been superseded because of later released patches that haven’t been applied to the DEV/Test environments.