Date: Mon, 15 Dec 2014 11:41:29 +0100 From: Michelle Sullivan <michelle@sorbs.net> To: Chris Knight <stryqx@gmail.com> Cc: freebsd-stable@freebsd.org Subject: Re: BIND chroot environment in 10-RELEASE...gone? Message-ID: <548EBAD9.8050701@sorbs.net> In-Reply-To: <CAHgj5TQrQ0er0ntsuGAF_e8DRK4NTXzqoxxtYYh3orZZH8_K6w@mail.gmail.com> References: <CAN6yY1sVGiQFNkoi0mGZs7grJ5SMAui-rDO1e8UDAs0PTUVL9g@mail.gmail.com> <alpine.BSF.2.00.1312031407090.78399@roadkill.tharned.org> <20131203.223612.74719903.sthaug@nethelp.no> <20141215.082038.41648681.sthaug@nethelp.no> <CAHgj5TQrQ0er0ntsuGAF_e8DRK4NTXzqoxxtYYh3orZZH8_K6w@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Chris Knight wrote: > Howdy, > > On 15 December 2014 at 18:20, <sthaug@nethelp.no> wrote: > >> [snip] >> <rant> >> Removing the changeroot environment and symlinking logic is a net >> disservice to the FreeBSD community, and disincentive to use FreeBSD. >> </rant> >> >> > +1 > This, and the mess that is pkg, is making me reconsider FreeBSD as my > Open Source OS of choice, after 20 years of use. > The patchwork quilt of components that makes up a Linux distro doesn't > need to be complemented by further FreeBSD releases :-( > > +1 Ronald Klop wrote: > > Isn't this reasoning a bit flawed? Something hurt you so you state it > is hurting a whole community. > Not really, the problem is you have production environments, people change something (sometimes announced in advance, sometimes not) a security issue comes out and you "upgrade"/"pactch" and suddenly your production environment is broken because the patch didn't just close a security hole, it rewrote the installation in a way that was incompatible with the running environment. > I, for one, am glad the security updates of the Bind software are now > better maintainable across all FreeBSD version. > NB: using a jail might give an easier to maintain secure environment > for bind than a chroot. With more restrictions to the process also. That it might be, but that doesn't justify changing everything on a whim. Happened to me with the Bapt 1st Sept port patches to force people to switch to pkg... I still don't have my production machines switched over, and despite Bapt doing his damnedest in breaking everything, I now have a working build server (with considerable hacking) using the old package system and a pkgng build system so I can build both and continue to migrate servers. However, I spend most of my time patching the Mk/* and Uses/* directories to keep it working.. which majority of the time is just copying new Uses/* files into the old build system and removing the relevant code from the old *.mk files.. Why haven't I switched to pkgng? Production systems that require regression testing dev env's and instead of doing that I'm building and patching systems to make the build process work... and why am I doing that? Because some patches I required in production (some to make it work, some security related) were not patched back to the quarterly where it all worked *despite asking for them to be* so I had to go down the path of making the old build system work again... Now consider this drive to make FreeBSD more like another Linux with a different kernel.... Why would people switch to FreeBSD now, they might just as well stay with Linux and all the packaging problems.. Consider the above to Solaris and a problem I had yesterday... I still have a few Solaris servers, and used to use 'sunfreeware' .. was always a pain to use for any thing that needed other options than those compiled... but it was good for getting a working compiler then could build my own software the hard way... So when 'sunfreeware' stopped being 'free' I switched to OpenCSW... 48 hours ago I had to update and upgrade 3 of the systems due to the latest BIND9 security issue.. found out, Solaris 8 is not supported anymore (they still have all the old working packages - EOL'd - *not broken* - just frozen in time, no new patches...) Solaris 9 had gone the same way... again *not broken*.. and my Solaris 10 box well they had build the packages against a patched LibC that was incompatible with older systems so with the upgrade I found my system had no working sudo, no working ssh, nor any other tools ... so much for 'pkgutil -U -u' (which is the equiv of 'pkg -f upgrade' in PKGNG) not breaking anything... Turns out it was my problem because of a missing base patch, which I applied and got it all back up and running again... however that was because I still had a root shell over ssh and was able to complete patching before losing my connection otherwise I wouldn't have been able to do anything without remote hands... Now my point? I went to the #OpenCSW IRC channel and managed to get a hold of one of the developers that were able to help with the issue, tell me which patch etc.. but it didn't stop there... I commented that it would be nice if my server wasn't so easily fucked because of a missing patch and it should at least be announced... (I was a little pissed off and tetchy) however, complete professionalism there, they helped with the patchid, indicated that the particular patch should have been applied in 2008.. which led me to find out that the 'automated patching' daemon that Sun made had actually failed to patch anything... they came to an agreement (took on board what I said immediately) and have decided to code a patch so that they pkgutil will check for required base packages and refuse to patch anything (including the catalog) to a version of the system that requires a missing patch. At the same time they updated the website immediately to indicate the issue as a warning to people that might be in the same situation as me... This patch they are working on will effectively create a 'rolling EOL' for a particular build set... ie everything will continue working except you can't patch to a level that requires a BaseOS pre-req... so if you need a patched piece of software and don't have a pre-req OS patch you can still download all the latest working tools so you can roll your own until you can BaseOS patch.... what a refreshing change... Developers that take on good ideas without forcing upgrades first or forcing their own agenda's. Harsh... yes maybe... and my apologies to those FreeBSD developers that I have had private email convos with to resolve issues and patches that have also been as helpful.. but theirs is (mostly) not the public voice of change in FreeBSD... Sorry for the rant. (and no I didn't proof-read before hitting send - spend enough time writing it!) -- Michelle Sullivan http://www.mhix.org/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?548EBAD9.8050701>