From owner-freebsd-stable@FreeBSD.ORG Mon Dec 15 09:48:13 2014 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5E82648D for ; Mon, 15 Dec 2014 09:48:13 +0000 (UTC) Received: from smarthost1.greenhost.nl (smarthost1.greenhost.nl [195.190.28.81]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1DD6613E for ; Mon, 15 Dec 2014 09:48:12 +0000 (UTC) Received: from smtp.greenhost.nl ([213.108.104.138]) by smarthost1.greenhost.nl with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from ) id 1Y0SFx-0006ZD-Ne for freebsd-stable@freebsd.org; Mon, 15 Dec 2014 10:48:03 +0100 Content-Type: text/plain; charset=iso-8859-15; format=flowed; delsp=yes To: freebsd-stable@freebsd.org Subject: Re: BIND chroot environment in 10-RELEASE...gone? References: <20131203.223612.74719903.sthaug@nethelp.no> <20141215.082038.41648681.sthaug@nethelp.no> Date: Mon, 15 Dec 2014 10:47:56 +0100 MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: "Ronald Klop" Message-ID: In-Reply-To: <20141215.082038.41648681.sthaug@nethelp.no> User-Agent: Opera Mail/12.17 (Win32) X-Authenticated-As-Hash: 398f5522cb258ce43cb679602f8cfe8b62a256d1 X-Virus-Scanned: by clamav at smarthost1.samage.net X-Spam-Level: / X-Spam-Score: -0.2 X-Spam-Status: No, score=-0.2 required=5.0 tests=ALL_TRUSTED, BAYES_50 autolearn=disabled version=3.3.2 X-Scan-Signature: 729ef2e9e2cd27dd49f9ca04774c95e6 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Dec 2014 09:48:13 -0000 On Mon, 15 Dec 2014 08:20:38 +0100, wrote: >> > > It was a deliberate decision made by the maintainer. He said the >> chroot >> > > code in the installation was too complicated and would be removed >> as a >> > > part of the installation clean-up to get all BIND related files out >> of >> > > /usr and /etc. I protested at the time as did someone else, but the >> > > maintainer did not respond. I thnk this was a really, really bad >> > > decision. >> > > >> > > I searched a bit for the thread on removing BIND leftovers, but have >> > > failed to find it. >> > > >> > >> > You're probably thinking about my November 17 posting: >> > >> http://lists.freebsd.org/pipermail/freebsd-stable/2013-November/075895.html >> > >> > I'm glad to see others finally speaking up; I was beginning to think >> I was >> > the only one who thought this was not a good idea. I'm a bit >> surprised >> > that no one has responded yet. >> >> I agree with the protesters here. Removing chroot and symlinking logic >> in the ports is a significant disservice to FreeBSD users, and will >> make it harder to use BIND in a sensible way. A net disincentive to >> use FreeBSD :-( > > I have now installed my first 10.1 based name server. I had to spend > some hours to recreate the changeroot environment that I had so easily > available in FreeBSD up to 9.x. > > > Removing the changeroot environment and symlinking logic is a net > disservice to the FreeBSD community, and disincentive to use FreeBSD. > > > Steinar Haug, Nethelp consulting, sthaug@nethelp.no Isn't this reasoning a bit flawed? Something hurt you so you state it is hurting a whole community. I, for one, am glad the security updates of the Bind software are now better maintainable across all FreeBSD version. NB: using a jail might give an easier to maintain secure environment for bind than a chroot. With more restrictions to the process also. Regards, Ronald.