From owner-freebsd-security Thu Apr 18 13:18:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id DA1F737B405 for ; Thu, 18 Apr 2002 13:18:44 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id OAA20382; Thu, 18 Apr 2002 14:18:28 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook may make your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020418135706.02192c60@nospam.lariat.org> X-Sender: brett@nospam.lariat.org X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 18 Apr 2002 14:18:14 -0600 To: Jon Bergfeld , security@FreeBSD.ORG From: Brett Glass Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip In-Reply-To: <20020418181744.45846.qmail@web14201.mail.yahoo.com> References: <4.3.2.7.2.20020418120036.021ceb30@nospam.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 12:17 PM 4/18/2002, Jon Bergfeld wrote: >look, the existing process seems to work fine for everyone else Acutally, it doesn't. And it really hurts evangelism and new adopters of FreeBSD. For example, here's a rough transcript of a conversation I recently had with an admin who wanted to put up a FreeBSD server. Prospective user: FreeBSD sounds neat. How do I install it? Me: Well, it's really easy. You just put in the first install floppy, boot the system, insert the second floppy when asked, and away you go. You can get the release floppies at ftp://www.freebsd.org/. Prospective user: But I've heard that there were some security holes and bugs discovered since then. How do I install a version with those problems fixed? [What I'd like to say: Oh, that's simple. In the same directory you'll see 4.5-RELEASE, 4.5-RELEASE-p1, 4.5-RELEASE-p2, et cetera. Just get the floppies for the most recent one, and it will have all the critical fixes. What I'd like to hear the prospective user say: This is great! I'm glad that FreeBSD lives up to its reputation for being easy to install.] What I have to say now: That's not so simple. First, you have to install the last ful release, bugs and all. Then, you have to use CVSup... Prospective user: What's that? Me: Well, it updates your source tree to include the latest fixes. Prospective user: Source tree? I'm not ready to play with the source; I'm not familiar with the system yet, and I don't know what this CVSup thing is. Me: Unfortunately, there's no other way to do it. You have to get the latest source, using the tag RELENG_4_5, and then do a "make world." Prospective user: What's a tag? How do I use it? And what's a "make world?" And how do you find out the name "RELENG_4_5" if you don't know it already? Me: Do you have about half an hour? I can teach you the basics of CVSup.... Prospective user: Naah, never mind. This is more complicated than I thought, and it's a lot more complicated than installing Red Hat and installing the latest RPMs to fix the bugs. I just wanted to download a version of the OS that's secure, but I don't have time to learn about all this stuff you're talking about right this minute. I guess I'll stick with {Win2K/Linux}. (End of dialogue) As you can see from the above, FreeBSD doesn't have a simple answer to a simple, reasonable question: "How can I *just install* FreeBSD with all of the latest security fixes on a new machine, without walking off of a conceptual cliff?" We need to address this. Not only would it help newcomers; it would also help admins who just want to do a quick, no-hassle upgrade that includes the latest security fixes. We should NOT say, "the heck with them if they're not willing to learn all sorts of developer stuff on the spot." That's pointless elitism. And we shouldn't make it unreasonably hard for admins to update... or they might not do it. And then, when their systems are broken into, FreeBSD's reputation as a secure OS suffers. --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message