Date: Mon, 15 Dec 2014 22:12:45 -0800 From: Kevin Oberman <rkoberman@gmail.com> To: Chris H <bsd-lists@bsdforge.com> Cc: FreeBSD-STABLE Mailing List <freebsd-stable@freebsd.org>, "sthaug@nethelp.no" <sthaug@nethelp.no> Subject: Re: BIND chroot environment in 10-RELEASE...gone? Message-ID: <CAN6yY1uuj7Jj65zOsKZ=3Uk3y-E300BeyY=NA9iU%2B%2Bn5CKBqyg@mail.gmail.com> In-Reply-To: <e209e27f9eb42850326f5a4df458722b@ultimatedns.net> References: <CAN6yY1sVGiQFNkoi0mGZs7grJ5SMAui-rDO1e8UDAs0PTUVL9g@mail.gmail.com> <alpine.BSF.2.00.1312031407090.78399@roadkill.tharned.org> <20131203.223612.74719903.sthaug@nethelp.no> <20141215.082038.41648681.sthaug@nethelp.no> <e209e27f9eb42850326f5a4df458722b@ultimatedns.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Dec 15, 2014 at 8:24 PM, Chris H <bsd-lists@bsdforge.com> wrote: > On Mon, 15 Dec 2014 08:20:38 +0100 (CET) sthaug@nethelp.no wrote > > > > > > It was a deliberate decision made by the maintainer. He said the > chroot > > > > > code in the installation was too complicated and would be removed > as a > > > > > part of the installation clean-up to get all BIND related files > out of > > > > > /usr and /etc. I protested at the time as did someone else, but the > > > > > maintainer did not respond. I thnk this was a really, really bad > > > > > decision. > > > > > > > > > > I searched a bit for the thread on removing BIND leftovers, but > have > > > > > failed to find it. > > > > > > > > > > > > > You're probably thinking about my November 17 posting: > > > > > > > > > http://lists.freebsd.org/pipermail/freebsd-stable/2013-November/075895.html > > > > > > > > I'm glad to see others finally speaking up; I was beginning to think > I > > > > was the only one who thought this was not a good idea. I'm a bit > > > > surprised that no one has responded yet. > > > > > > I agree with the protesters here. Removing chroot and symlinking logic > > > in the ports is a significant disservice to FreeBSD users, and will > > > make it harder to use BIND in a sensible way. A net disincentive to > > > use FreeBSD :-( > > > > I have now installed my first 10.1 based name server. I had to spend > > some hours to recreate the changeroot environment that I had so easily > > available in FreeBSD up to 9.x. > > > > <rant> > > Removing the changeroot environment and symlinking logic is a net > > disservice to the FreeBSD community, and disincentive to use FreeBSD. > > </rant> > In all fairness (is there even such a thing?); > "Convenience" is a two-way street. For each person that thinks > the BIND chroot(8) mtree(8) symlink(2) was a great "service". There > are at *least* as many whom feel differently. I chose to remove/disable > the BIND, from BASE, some time ago. As it wasn't "convenient" to have > to overcome/deal with the CVE/security issues. In the end, I was forced > to re-examine some of the other resolvers, that ultimately, only proved > to be better choice(s). > > Just sayin' > > --Chris > Please don't conflate issues. Moving BIND out of the base system is something long overdue. I know that the longtime BIND maintainer, Doug B, had long felt it should be removed. This has exactly NOTHING to do with removing the default chroot installation. The ports were, by default installed chrooted. Jailed would have been better, but it was not something that could be done in a port unless the jail had already been set up. chroot is still vastly superior to not chrooted and I was very distressed to see it go from the ports. Disclaimer, since I retired I am no longer running a DNS server, so this had no impact on me. I simply see it as an unfortunate regression. -- Kevin Oberman, Network Engineer, Retired
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAN6yY1uuj7Jj65zOsKZ=3Uk3y-E300BeyY=NA9iU%2B%2Bn5CKBqyg>