From owner-freebsd-stable@FreeBSD.ORG Tue Dec 16 06:12:46 2014 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A186258A for ; Tue, 16 Dec 2014 06:12:46 +0000 (UTC) Received: from mail-ig0-x234.google.com (mail-ig0-x234.google.com [IPv6:2607:f8b0:4001:c05::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 61CE1B8C for ; Tue, 16 Dec 2014 06:12:46 +0000 (UTC) Received: by mail-ig0-f180.google.com with SMTP id h15so6496879igd.1 for ; Mon, 15 Dec 2014 22:12:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=r/7cVAOXAbKhogh2ye7eTiMoekiXXYpHTym1Ouetp3M=; b=RNBNpqLD+8GiBHu3Y5GmjUoUA2OjCJBAsG/UdnUaGGQF5njH3xISkRTowONThE0gRZ dybcjnTuJvRXzbbj89H8gWif6tsOVKSR6+lNSHoVwxV7nRL1QAEMimKz0j0GQb8KEjdF ojITl6QV1T2xwSLKThB8G8v3tIL8mlDeuulH5w82cTZ/lkMm/6AsRrLDeOk2dclyBI+Y TPPagGfB/NyFwtJtG8ty9esPuxpRswTy6wedII7qcw+yUx+3PBkW0Z9YXXTZVi2xI1bU MSpBmtAZ8bjSFoy/ZqTOHJ/2vi+NXC5B7St2TpHjJRmqb3MmgjRWHLmakADpE6cMR7VY I+dw== MIME-Version: 1.0 X-Received: by 10.107.6.196 with SMTP id f65mr32460135ioi.54.1418710365848; Mon, 15 Dec 2014 22:12:45 -0800 (PST) Sender: kob6558@gmail.com Received: by 10.107.52.19 with HTTP; Mon, 15 Dec 2014 22:12:45 -0800 (PST) In-Reply-To: References: <20131203.223612.74719903.sthaug@nethelp.no> <20141215.082038.41648681.sthaug@nethelp.no> Date: Mon, 15 Dec 2014 22:12:45 -0800 X-Google-Sender-Auth: fCpxxOW8ArUT9pjc6D1Qb1CEons Message-ID: Subject: Re: BIND chroot environment in 10-RELEASE...gone? From: Kevin Oberman To: Chris H Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: FreeBSD-STABLE Mailing List , "sthaug@nethelp.no" X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Dec 2014 06:12:46 -0000 On Mon, Dec 15, 2014 at 8:24 PM, Chris H wrote: > On Mon, 15 Dec 2014 08:20:38 +0100 (CET) sthaug@nethelp.no wrote > > > > > > It was a deliberate decision made by the maintainer. He said the > chroot > > > > > code in the installation was too complicated and would be removed > as a > > > > > part of the installation clean-up to get all BIND related files > out of > > > > > /usr and /etc. I protested at the time as did someone else, but the > > > > > maintainer did not respond. I thnk this was a really, really bad > > > > > decision. > > > > > > > > > > I searched a bit for the thread on removing BIND leftovers, but > have > > > > > failed to find it. > > > > > > > > > > > > > You're probably thinking about my November 17 posting: > > > > > > > > > http://lists.freebsd.org/pipermail/freebsd-stable/2013-November/075895.html > > > > > > > > I'm glad to see others finally speaking up; I was beginning to think > I > > > > was the only one who thought this was not a good idea. I'm a bit > > > > surprised that no one has responded yet. > > > > > > I agree with the protesters here. Removing chroot and symlinking logic > > > in the ports is a significant disservice to FreeBSD users, and will > > > make it harder to use BIND in a sensible way. A net disincentive to > > > use FreeBSD :-( > > > > I have now installed my first 10.1 based name server. I had to spend > > some hours to recreate the changeroot environment that I had so easily > > available in FreeBSD up to 9.x. > > > > > > Removing the changeroot environment and symlinking logic is a net > > disservice to the FreeBSD community, and disincentive to use FreeBSD. > > > In all fairness (is there even such a thing?); > "Convenience" is a two-way street. For each person that thinks > the BIND chroot(8) mtree(8) symlink(2) was a great "service". There > are at *least* as many whom feel differently. I chose to remove/disable > the BIND, from BASE, some time ago. As it wasn't "convenient" to have > to overcome/deal with the CVE/security issues. In the end, I was forced > to re-examine some of the other resolvers, that ultimately, only proved > to be better choice(s). > > Just sayin' > > --Chris > Please don't conflate issues. Moving BIND out of the base system is something long overdue. I know that the longtime BIND maintainer, Doug B, had long felt it should be removed. This has exactly NOTHING to do with removing the default chroot installation. The ports were, by default installed chrooted. Jailed would have been better, but it was not something that could be done in a port unless the jail had already been set up. chroot is still vastly superior to not chrooted and I was very distressed to see it go from the ports. Disclaimer, since I retired I am no longer running a DNS server, so this had no impact on me. I simply see it as an unfortunate regression. -- Kevin Oberman, Network Engineer, Retired