Date: Thu, 18 Apr 2002 11:59:26 -0600 From: Nate Williams <nate@yogotech.com> To: Brett Glass <brett@lariat.org> Cc: nate@yogotech.com (Nate Williams), Christopher Schulte <schulte+freebsd@nospam.schulte.org>, security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip Message-ID: <15551.2430.223189.820500@caddis.yogotech.com> In-Reply-To: <4.3.2.7.2.20020418114304.00dccf00@nospam.lariat.org> References: <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <4.3.2.7.2.20020417230144.032ad390@nospam.lariat.org> <200204171923.g3HJNga58899@freefall.freebsd.org> <4.3.2.7.2.20020418114304.00dccf00@nospam.lariat.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> >Who said anything about building it every night?
>
> Many people are suggesting that one CVSup every night.
How is doing a CVSup and building a release related? You can build a
system every night and never do a build? You can do a build every night
and never do a CVSup? They are completely unrelated operations.
> >> Nor is downloading a random snapshot. (Which one can't seem to do
> >> anyway these days; releng4.freebsd.org is refusing
> >
> >Who said anything about a 'random' snapshot. Pick the snapshot that has
> >the fix applied (using the date), and build it.
>
> How does one know that there isn't a system-crashing bug in some other
> part of the tree for the same date?
How do you know that the patch doesn't cause your system to crash,
because of the special circumstances in your setup that wasn't seen
previously?
> What's needed is not just the snapshot that happened to be available
> that day (or today) but one that's known to be reasonably
> stable. Remember, a snapshot of -STABLE taken on a random day is not
> guaranteed even to boot!
Except, a snapshot of RELENG_4_[2345] *are* guaranteed to both boot, and
contain minimal changes (security only), in as much as you get *any*
guarantee from any vendor.
> >There is. Download the 'random snapshot' using the RELENG_4_5 tag.
> >All I see from you is a lot of bitching about how the FreeBSD project
> >didn't hold your hand tight enough
>
> Not true at all. What administrators using FreeBSD need is not
> "hand-holding" but a way to upgrade to a known good snapshot.
Many folks have provided you with ample ways to get a known/good
snapshot. You simply refuse to use them.
> Not necessarily the absolute latest, but one with the needed
> patches which others have seen to work.
See above. That *is*
> >and have a developer show up on your
> >doorstop to install and verify every single version of FreeBSD you use.
>
> I'm a developer myself, and therefore understand the value of testing.
> It should be possible to get a snapshot ("patch level N," or whatever)
> which one knows that others have tried and have found to work. As an
> administrator, you should want this too.
And I do on those systems, but apparently I have more of a clue than you
do, since I don't find it all a problem to follow the advice given by
many people who've contributed to this thread (and similar threads
you've raised in the past.)
There are at two active *branches* in FreeBSD, and a number of
semi-active branches.
Active:
- RELENG_4 (stable)
- HEAD (current)
Semi-active:
- RELENG_4_5 (security patches to FreeBSD4.5)
- RELENG_4_4 (security patches to FreeBSD4.5)
- RELENG_4_3 (security patches to FreeBSD4.5)
Less-active:
- RELENG_3
- RELENG_2
If you want a *completely* stable release without bad patches (to the
best of the ability of the developers), and you are running a system
based on FreeBSD 4.[345], then grab the RELENG_4_[345] branch, which is
the exact same code as the releases plus security patches.
This is all laid out in the security advisories, which apparently you
actually don't completely read.
Nate
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15551.2430.223189.820500>