From owner-freebsd-stable@FreeBSD.ORG Wed Jul 31 06:38:39 2013 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 5803BA94 for ; Wed, 31 Jul 2013 06:38:39 +0000 (UTC) (envelope-from FreeBSD@shaneware.biz) Received: from ipmail04.adl6.internode.on.net (ipmail04.adl6.internode.on.net [IPv6:2001:44b8:8060:ff02:300:1:6:4]) by mx1.freebsd.org (Postfix) with ESMTP id E20AB2CAA for ; Wed, 31 Jul 2013 06:38:36 +0000 (UTC) Received: from ppp247-71.static.internode.on.net (HELO leader.local) ([203.122.247.71]) by ipmail04.adl6.internode.on.net with ESMTP; 31 Jul 2013 16:08:35 +0930 Message-ID: <51F8B0E8.8090608@ShaneWare.Biz> Date: Wed, 31 Jul 2013 16:08:32 +0930 From: Shane Ambler User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/20130516 Thunderbird/17.0.6 MIME-Version: 1.0 To: freebsd-stable@freebsd.org Subject: Re: Bind in FreeBSD, security advisories References: <1375186900.23467.3223791.24CB348A@webmail.messagingengine.com> <51F7B5C7.6050008@digsys.bg> <51F7C07C.9060606@digsys.bg> <51F7E352.30300@digsys.bg> In-Reply-To: <51F7E352.30300@digsys.bg> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Jul 2013 06:38:39 -0000 On 31/07/2013 01:31, Daniel Kalchev wrote: > But here is an idea: Remove BIND from HEAD overnight and see how many > will complain ;-) If nobody complains, don't put it back in. Or change the default to off. If you want bind add WITH_BIND=yes to src.conf It's hard to say FreeBSD is a safe and secure OS when part of the base install is always being shown to have security flaws. New features need to prove they are reliable before they are accepted into a release yet we allow something that has a long proven history of being a source of security concerns. For something that needs to be constantly updated in between system updates then ports is the place to install it from. I think it is less about whether bind is useful and needs to be in base and more about should every user of FreeBSD be open to security issues or should a user have the option to say "yes I want potentially insecure software on my machine". The ports system allows messages that make it obvious to the user about security concerns. Yes many users know the bind utilities and rely on them but a lot of users have no idea how to use them. I expect that the bind tools are used by a number of users that know what they are doing and need them for testing and debugging issues, they also know how to install them when they need them. I believe most users would not need or use these tools. How many people setup and use a FreeBSD machine without adding something from ports or packages? And yes I setup my own dns server to resolve internal host names instead of filling /etc/hosts with entries. As for the tools like dig and host, I rarely use them.