Date: Tue, 3 Dec 2013 17:09:23 -0800 From: Kevin Oberman <rkoberman@gmail.com> To: Chris H <bsd-lists@1command.com> Cc: "freebsd-stable@freebsd.org Stable" <freebsd-stable@freebsd.org> Subject: Re: BIND chroot environment in 10-RELEASE...gone? Message-ID: <CAN6yY1v=VuUCD0C0OgjEVDfnz08hrqmkWvcCMJQrxJ96ecGUfw@mail.gmail.com> In-Reply-To: <560e9b24248600b4125c8786712d0bf9.authenticated@ultimatedns.net> References: <1386086749.9599.54995173.6CD35E54@webmail.messagingengine.com> <CAN6yY1sVGiQFNkoi0mGZs7grJ5SMAui-rDO1e8UDAs0PTUVL9g@mail.gmail.com> <alpine.BSF.2.00.1312031407090.78399@roadkill.tharned.org> <20131203.223612.74719903.sthaug@nethelp.no> <560e9b24248600b4125c8786712d0bf9.authenticated@ultimatedns.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Dec 3, 2013 at 2:10 PM, Chris H <bsd-lists@1command.com> wrote: > >> > It was a deliberate decision made by the maintainer. He said the > chroot > >> > code in the installation was too complicated and would be removed as a > >> > part of the installation clean-up to get all BIND related files out of > >> > /usr and /etc. I protested at the time as did someone else, but the > >> > maintainer did not respond. I thnk this was a really, really bad > >> > decision. > >> > > >> > I searched a bit for the thread on removing BIND leftovers, but have > >> > failed to find it. > >> > > >> > >> You're probably thinking about my November 17 posting: > >> > http://lists.freebsd.org/pipermail/freebsd-stable/2013-November/075895.html > >> > >> I'm glad to see others finally speaking up; I was beginning to think I > was > >> the only one who thought this was not a good idea. I'm a bit surprised > >> that no one has responded yet. > > > > I agree with the protesters here. Removing chroot and symlinking logic > > in the ports is a significant disservice to FreeBSD users, and will > > make it harder to use BIND in a sensible way. A net disincentive to > > use FreeBSD :-( > > I strongly disagree. The BIND is still available within FreeBSD for anyone > who chooses to > use/install it. Further, nothing stops anyone who wishes to continue using > the CHROOT(8) > script(s) that provided the BIND with a chroot. Any copy of a FreeBSD-8 > (maybe even 9) > install CD/DVD holds all the "magic" required. It is _easily_ acquired, > and implemented. In > fact, one could easily turn the whole affair into an automated routine. > So. Bottom line; the BIND still remains with FreeBSD, nothing has been > taken away. > The CHROOT(8) scripts are still easily available, and can be implemented, > at will, by > anyone who cares to continue using it. > What's the big deal? > The big deal was that BIND, by default, just installed in a clean chroot environment. It just worked. Now installing BIND from ports imply puts it there with no added protection at all. Since it has long been recommended that BIND either be run chrooted or jailed, this looks like a large step backwards to me. The code was all there. I realize that moving the symlinks around to do the job without polluting the base OS would take some doing, but there is no reason it could not be done or that it should be terribly difficult (said without looking at all of the details). I hate to see regressions and this is clearly a regression. Worse, it was a deliberate one made with a very casual comment that it was just cleaning up the script by eliminating the complicated chroot code. -- R. Kevin Oberman, Network Engineer E-mail: rkoberman@gmail.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAN6yY1v=VuUCD0C0OgjEVDfnz08hrqmkWvcCMJQrxJ96ecGUfw>