From owner-freebsd-security@FreeBSD.ORG Mon May 22 04:38:45 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C9F3E16A422; Mon, 22 May 2006 04:38:45 +0000 (UTC) (envelope-from b.j.casavant@ieee.org) Received: from yeppers.tdkt.org (skyline.tdkt.org [209.98.211.67]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4CB2E43D53; Mon, 22 May 2006 04:38:45 +0000 (GMT) (envelope-from b.j.casavant@ieee.org) Received: from c-24-245-56-101.hsd1.mn.comcast.net (c-24-245-56-101.hsd1.mn.comcast.net [24.245.56.101]) (authenticated bits=0) by yeppers.tdkt.org (8.12.11/8.12.11/erikj-OpenBSD) with ESMTP id k4M4cg8V005096; Sun, 21 May 2006 23:38:43 -0500 (CDT) Date: Sun, 21 May 2006 23:38:42 -0500 (CDT) From: Brent Casavant X-X-Sender: bcasavan@abigail.angeltread.org To: Colin Percival In-Reply-To: <4471361B.5060208@freebsd.org> Message-ID: <20060521231657.O6063@abigail.angeltread.org> References: <4471361B.5060208@freebsd.org> Organization: "Angeltread Software Organization" MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Mailman-Approved-At: Mon, 22 May 2006 12:39:39 +0000 Cc: freebsd security , FreeBSD Stable Subject: Re: FreeBSD Security Survey X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Brent Casavant List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 May 2006 04:38:45 -0000 On Sun, 21 May 2006, Colin Percival wrote: > In order to better understand > which FreeBSD versions are in use, how people are (or aren't) keeping > them updated, and why it seems so many systems are not being updated, I > have put together a short survey of 12 questions. I applaud this survey, however question 9 missed an important point, at least to me. I was torn between answering "less than once a month" and "I never update". While I find ports to be the single most useful feature of the FreeBSD experience, and can't thank contributors enough for the efforts, I on the other hand find updating my installed ports collection (for security reasons or otherwise) to be quite painful. I typically use portupgrade to perform this task. On several occasions I got "bit" by doing a portupgrade which wasn't able to completely upgrade all dependencies (particularly when X, GUI's, and desktops are in the mix -- though I always follow the special Gnome upgrade methods when appropriate). I can't rule out some form of pilot error, but the end result was pain. After several instances of unsatisfactory portupgrades (mostly in the 5.2 through early 5.4 timeframe), I adopted the practice of either not upgrading ports at all for the life of a particular installation on a machine (typically about one year), or when necessary by removing *all* ports from the machine, cvsup'ing, and reinstalling. This has served me quite well, particularly considering the minimal threat profile these particularly systems face. So, in short, that's why *I* rarely update ports for security reasons. There are steps that could be taken at the port maintenance level that would work well for my particular case, however that's beyond the scope of the survey. Thanks for taking the time put the survey together, I certainly hope it proves useful. Thank you, Brent Casavant