Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 17 Oct 2006 12:40:57 -0700
From:      FreeBSD Security Officer <cperciva@freebsd.org>
To:        FreeBSD Stable <freebsd-stable@freebsd.org>, freebsd security <freebsd-security@freebsd.org>
Subject:   FreeBSD 4.x EoL
Message-ID:  <453531C9.7080304@freebsd.org>

Next in thread | Raw E-Mail | Index | Archive | Help
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

There has been a lot of discussion on these two mailing lists about the upcoming
EoL of FreeBSD 4.x which I mentioned in my email entitled "HEADS UP: FreeBSD
5.3, 5.4, 6.0 EoLs coming soon".  Now that everybody (hopefully) has had their
say, I'd like to offer some background and explanation.

The concept of "security branches" in the FreeBSD CVS tree was introduced with
FreeBSD 4.3, about five years ago.  At the time, support was only guaranteed for
the most recent FreeBSD release and one -STABLE branch (either the latest stable
branch, if two or more releases were based on it, or the previous stable
branch).  Under this original policy, the only supported branches would now be
the security branch for FreeBSD 6.1 and 6-STABLE.

Three and a half years ago, the Security Officer decided to increase the length
of time for which releases would be supported, and the policy was changed to
promise that releases would be supported until 12 months after their release
dates, and any stable branch containing a supported release would also be
supported. Under this policy, the only supported branches would now be the
security branches for FreeBSD 5.5, 6.0, and 6.1, and 5-STABLE and 6-STABLE.

A year later, support was once again extended.  Security branches became "Errata
branches", open to both security fixes and critical stability fixes (as jointly
defined by the security and release engineering teams); in addition, some
releases were designated as "extended support" releases, to be supported for 24
months after their respective release dates.  FreeBSD 4.8 was the first such
release, and FreeBSD 4.10, 4.11, 5.3, 5.5, and 6.1 have also been designated as
such.  It was agreed that the last release from any stable branch (which, since
FreeBSD 2.2.x, has always come after the first release from the next stable
branch) would always be designated for extended support, in order to provide a
minimum of two years for users to upgrade to the new stable branch before their
systems became unsupported.

When FreeBSD 4.11 was released on January 25th 2005, the release announcement
stated that "this is expected to be the last release from the RELENG_4 branch.
Most of the Developers are now focused on the RELENG_5 branch, or on the cutting
edge development in HEAD", and on that same day the EoL date of January 31st
2007 was documented on the Security webpage at http://www.freebsd.org/security/.
The upcoming end of support for FreeBSD 4.x should therefore not be a surprise.

While it might be convenient for some if FreeBSD releases were supported for far
longer, it must be remembered that FreeBSD is a volunteer project which issues
new releases every 4-6 months.  Whereas a company like Microsoft has funds to
hire people to support Windows 200[03] and XP, the FreeBSD Security Team is now
supporting six releases -- 4.11, 5.3, 5.4, 5.5, 6.0, and 6.1 -- as volunteers.
Each supported release increases the workload on the Security Team, by adding to
the number of releases on which patches must be tested, by increasing the time
required to investigate security issues, and by often requiring that patches be
"back-ported" to apply to older releases.  Based on my experience as a member of
the Security Team since early 2004, I simply do not think that it is practical
to support more than six releases concurrently.

FreeBSD 4.x also poses some challenges due to its age.  FreeBSD 4.11 contains
OpenSSH 3.5, Sendmail 8.13.1, and BIND 8.3.7; these all act as Internet-facing
servers, and are consequently particularly likely to suffer from security
issues, but they are all maintained by their respective projects.  The FreeBSD
Security Team is largely dependent upon receiving security advisories and
patches from the "upstream" maintainers of this code and/or from other projects
(e.g., Linux vendors) who use the same versions as we do; FreeBSD is now one of
the last projects still supporting these versions, and as time passes it will
become increasingly difficulty to continue to do so.

Even with code written and maintained within the FreeBSD project it would be far
from trivial to continue to support FreeBSD 4.x.  FreeBSD 4.x has not been the
target of new development in FreeBSD since March 2000; FreeBSD, like all free
software projects, has constant turnover in its pool of developers, and it is
often very difficult to find developers familiar with code in FreeBSD 4.x which
has been replaced in newer FreeBSD releases.  The FreeBSD project is reaching
the point where it lacks the "institutional memory" needed to continue to
support FreeBSD 4.x.

In short:
 * FreeBSD is a volunteer project, and we don't want to volunteer to support
FreeBSD 4.x beyond the scheduled EoL date of January 31st, 2007;
 * Even if we did want to support FreeBSD 4.x beyond that date, I'm not certain
that we would be able to do so, given that both FreeBSD and the rest of the
world has moved on; and
 * You've had lots of warning that this was going to happen, so it's a bit late
to start complaining now.

Colin Percival
FreeBSD Security Officer

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (FreeBSD)

iD8DBQFFNTHJFdaIBMps37IRAnPVAJ4yeeE+yFq8B2cJJJnMBHzInA7vtgCfXjOa
x4J/fxk3XMgPrGw3In+mSAk=
=no9w
-----END PGP SIGNATURE-----



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?453531C9.7080304>