From owner-freebsd-security Wed Nov 28 15:14:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id CF8AD37B405 for ; Wed, 28 Nov 2001 15:14:33 -0800 (PST) Received: from caddis.yogotech.com (caddis.yogotech.com [206.127.123.130]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id QAA28090; Wed, 28 Nov 2001 16:14:32 -0700 (MST) (envelope-from nate@yogotech.com) Received: (from nate@localhost) by caddis.yogotech.com (8.11.6/8.11.6) id fASNEVc01610; Wed, 28 Nov 2001 16:14:31 -0700 (MST) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15365.28631.76543.817423@caddis.yogotech.com> Date: Wed, 28 Nov 2001 16:14:31 -0700 To: Roger Marquis Cc: Subject: Re: Updating ssh In-Reply-To: <20011128143641.X12621-100000@roble.com> References: <20011128143641.X12621-100000@roble.com> X-Mailer: VM 6.96 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > This reflects a common problem in FreeBSD. When you install a port or > > compile a newer version of an application which is included in the base > > install, it usually goes into /usr/local, so the system keeps on using > > the old version (which is ahead of the newer one in the path). That's a configuration issue. I've never had the sorts of problems that you are experiencing, but maybe it's because I don't consider the 'out-of-box' FreeBSD system to be the complete solution to my problem. Instead, I consider it the baseline, so if there are other configurations changes that are appropriate for my setup, I'll make them and make sure all of the boxes I administer also have them. (These kind of things can be easily automated, if you have enough experience with doing them. Most good system administrators are good at that sort of things, which flies in the face of what was said below.) > This problem has bit us more than a few times. It's also one of > the things that keeps FreeBSD from gaining market share in large > and high-security networks. If FreeBSD QA implemented the KIS > principle there would be a single official location for every file > and no duplicates anywhere on the system. Not quite. What if you want *two* copies of the software on your system. Many people want two copies of GCC on their system. Maybe you want both SSH1 and OpenSSH on your system. The system shouldn't enforce your ideas on what should be done, because that's a policy decision that not every site would share. > The root of the problem is that few FreeBSD developers have extensive > systems administration experience *Bwah* *hah* *hah* *hah* All I can see it that you're sadly mistaken. Many of the FreeBSD developers *ARE* system administrators in their day jobs (in some form or the other). > and few FreeBSD sysadmins have > a background in large site configuration management. I'll bet you consider the Yahoo clusters 'small', right? The current situation reflects the bias of the current developers who want to give more flexibility to their users. Remember, tools, not policy. I administer a bunch of FreeBSD systems, and to be honest, at each installation I've been required to customize my 'configuration' setups simply because each site wants things done differently. No one solution works for everyone, so it's really not the OS's job to do it. FWIW, FreeBSD does a better job of supplying you with the tools for building a solution. Certainly it does a much better job than NT, Novell, Solaris, or any other 'network' OS. Yes, you can buy 3rd party software for doing it on the other OS's, but's that because their is a demand for such things, not because they are better or worse at doing the job. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message