From owner-freebsd-security Wed Apr 11 11: 6:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 3A12637B422 for ; Wed, 11 Apr 2001 11:06:10 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.3/8.11.3) with SMTP id f3BI6Mf91980; Wed, 11 Apr 2001 14:06:22 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Wed, 11 Apr 2001 14:06:22 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Scott Johnson Cc: freebsd-security@freebsd.org Subject: Re: Security Announcements In-Reply-To: <20010411125207.A95503@ns2.airlinksys.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 11 Apr 2001, Scott Johnson wrote: > I just want to add my voice as to how I use FreeBSD. Simply saying 'use > -STABLE' to those of us running -RELEASE on production systems isn't > appropriate, since I believe we have valid reasons for running -RELEASE > on our systems. These security issues are not so frequent that providing > patches for -RELEASE should be too burdensome. In fact, if -STABLE was > fixed, the fix is already available and could be applied to -RELEASE > with little or no modification. I've been pleased, actually, with how > patches have been made available for -RELEASE until only recently, when > both the bind and ntp vulnerabilities went by without patches. I > thought, up till this discussion, that it was assumed that many run a > -RELEASE, and that patches were supplied for that reason. I for one (and > judging by the posts to this thread I'm not alone) use FreeBSD this way, > and I ask that it be considered important to make security patches > available for the latest -RELEASE. This has been a recognized problem with the current release practices for a while, and for at least the past few months, it has been decided that the practice will change for FreeBSD 4.3-RELEASE. Rather than simply creating a release tag on the RELENG_4 branch, we'll actually be generatin a new RELENG_4_3 branch. This will permit us to deploy security patches on the branch and generate new patchlevel point tags as needed. The main goal in this was actually to make the life of the security-officer easier: right now CVS allows us to manage patches and changes in branches, but when we generate patches for releases, there's not automated and reproduceable way to do this. Currently, the charter of the RELENG_4_3 branch will be that it simply carries security fixes, although it might eventually also carry mission-critical functionality fixes or work-arounds. It will also allow users to cvs update/cvsup along that branch to pick up all available critical release fixes, without picking up new features, and permit easier generation of binary updates to the release. So the quick answer here is that the problem is already solved, we just haven't had a release since the solution was agreed to by all the relevant parties, so haven't seen any results yet. When Jordan cuts 4.3-RELEASE in a week or two, we'll get to see how well this works in practice. It will certainly make my life easier, both as a producer and consumer of security fixes :-). Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message