From owner-freebsd-security Tue Apr 10 20: 4:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail2.insweb.com (mail2.insweb.com [204.254.158.36]) by hub.freebsd.org (Postfix) with ESMTP id AE7B737B423 for ; Tue, 10 Apr 2001 20:04:22 -0700 (PDT) (envelope-from fbsd-secure@ursine.com) Received: from ursine.com (dhcp-4-45-203.users.insweb.com [10.4.45.203]) by mail2.insweb.com (8.11.0/8.11.0) with ESMTP id f3B34LT82743 for ; Tue, 10 Apr 2001 20:04:22 -0700 (PDT) (envelope-from fbsd-secure@ursine.com) Message-ID: <3AD3C9B5.1DC86C19@ursine.com> Date: Tue, 10 Apr 2001 20:04:21 -0700 From: Michael Bryan X-Mailer: Mozilla 4.76 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: Re: Security Announcements? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Nicole Harrington wrote: > > As someone who runs many production level servers here is what I would want > In order: > > [...] > > 2) A binary patch. Similiar to the Linux RPM.s and the BSDi patches. > Just download and run. No compiles no installs. I fully agree. In my opinion, it would be the single most helpful improvement to the FreeBSD bug fix process. It is much, much, much easier to rollout (install/test/approve) a binary patch of just the affected software, rather than making systems track -STABLE, or even doing what I do now, which is to do "spot builds" of the affected software and create my own crude-but-effective installs to send out to all the affected servers. [And some things like kernel fixes would obviously not be doable without a manual compile/install of a new kernel, but that doesn't nullify the effectiveness in cases where you can do binary patches.] It also helps solve another problem that comes up everytime BIND or some other software goes through this process --- the fact that one of the easiest ways to currently upgrade is to use the version in the ports tree, but the pieces get installed in different/conflicting locations than the same components in the base system install, unless you tweak the prefixes (and sometimes other things) when you build the port. I know that there are ways to get around those issues using -STABLE, knowing the "make prefix=" magic, and other things, but there are so many times that something like this comes up, and we get another round of questions and confusion about the update process. That tells me that the current process is not really good enough, and needs improving. And yeah, I know --- it takes time, money, people, systems, etc to be able to provide those services to the community, and somebody will need to provide those resources in order to make it happen. I don't know... maybe I can work out something and do some measure of this myself, but I'd have to talk with my employer, and then maybe discuss things with Kris, and I'm not particularly hopeful that I can personally spare enough of myself to do an effective job of it. But I am going to think about it... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message