From owner-freebsd-security@FreeBSD.ORG Tue Oct 17 19:42:13 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D984916A407 for ; Tue, 17 Oct 2006 19:42:13 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from pd5mo1so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 085AD43D66 for ; Tue, 17 Oct 2006 19:42:10 +0000 (GMT) (envelope-from cperciva@freebsd.org) Received: from pd4mr6so.prod.shaw.ca (pd4mr6so-qfe3.prod.shaw.ca [10.0.141.69]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0J7A004W1PCDD2E0@l-daemon> for freebsd-security@freebsd.org; Tue, 17 Oct 2006 13:41:01 -0600 (MDT) Received: from pn2ml2so.prod.shaw.ca ([10.0.121.146]) by pd4mr6so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0J7A00A1GPCCTOU0@pd4mr6so.prod.shaw.ca> for freebsd-security@freebsd.org; Tue, 17 Oct 2006 13:41:01 -0600 (MDT) Received: from hexahedron.daemonology.net ([24.82.18.31]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with SMTP id <0J7A00BATPCBZWB0@l-daemon> for freebsd-security@freebsd.org; Tue, 17 Oct 2006 13:41:00 -0600 (MDT) Received: (qmail 64920 invoked from network); Tue, 17 Oct 2006 19:40:57 +0000 Received: from unknown (HELO ?127.0.0.1?) (127.0.0.1) by localhost with SMTP; Tue, 17 Oct 2006 19:40:57 +0000 Date: Tue, 17 Oct 2006 12:40:57 -0700 From: FreeBSD Security Officer To: FreeBSD Stable , freebsd security Message-id: <453531C9.7080304@freebsd.org> Organization: FreeBSD Project MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-Enigmail-Version: 0.94.0.0 User-Agent: Thunderbird 1.5 (X11/20060416) Cc: Subject: FreeBSD 4.x EoL X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: security-officer@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Oct 2006 19:42:13 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 There has been a lot of discussion on these two mailing lists about the upcoming EoL of FreeBSD 4.x which I mentioned in my email entitled "HEADS UP: FreeBSD 5.3, 5.4, 6.0 EoLs coming soon". Now that everybody (hopefully) has had their say, I'd like to offer some background and explanation. The concept of "security branches" in the FreeBSD CVS tree was introduced with FreeBSD 4.3, about five years ago. At the time, support was only guaranteed for the most recent FreeBSD release and one -STABLE branch (either the latest stable branch, if two or more releases were based on it, or the previous stable branch). Under this original policy, the only supported branches would now be the security branch for FreeBSD 6.1 and 6-STABLE. Three and a half years ago, the Security Officer decided to increase the length of time for which releases would be supported, and the policy was changed to promise that releases would be supported until 12 months after their release dates, and any stable branch containing a supported release would also be supported. Under this policy, the only supported branches would now be the security branches for FreeBSD 5.5, 6.0, and 6.1, and 5-STABLE and 6-STABLE. A year later, support was once again extended. Security branches became "Errata branches", open to both security fixes and critical stability fixes (as jointly defined by the security and release engineering teams); in addition, some releases were designated as "extended support" releases, to be supported for 24 months after their respective release dates. FreeBSD 4.8 was the first such release, and FreeBSD 4.10, 4.11, 5.3, 5.5, and 6.1 have also been designated as such. It was agreed that the last release from any stable branch (which, since FreeBSD 2.2.x, has always come after the first release from the next stable branch) would always be designated for extended support, in order to provide a minimum of two years for users to upgrade to the new stable branch before their systems became unsupported. When FreeBSD 4.11 was released on January 25th 2005, the release announcement stated that "this is expected to be the last release from the RELENG_4 branch. Most of the Developers are now focused on the RELENG_5 branch, or on the cutting edge development in HEAD", and on that same day the EoL date of January 31st 2007 was documented on the Security webpage at http://www.freebsd.org/security/. The upcoming end of support for FreeBSD 4.x should therefore not be a surprise. While it might be convenient for some if FreeBSD releases were supported for far longer, it must be remembered that FreeBSD is a volunteer project which issues new releases every 4-6 months. Whereas a company like Microsoft has funds to hire people to support Windows 200[03] and XP, the FreeBSD Security Team is now supporting six releases -- 4.11, 5.3, 5.4, 5.5, 6.0, and 6.1 -- as volunteers. Each supported release increases the workload on the Security Team, by adding to the number of releases on which patches must be tested, by increasing the time required to investigate security issues, and by often requiring that patches be "back-ported" to apply to older releases. Based on my experience as a member of the Security Team since early 2004, I simply do not think that it is practical to support more than six releases concurrently. FreeBSD 4.x also poses some challenges due to its age. FreeBSD 4.11 contains OpenSSH 3.5, Sendmail 8.13.1, and BIND 8.3.7; these all act as Internet-facing servers, and are consequently particularly likely to suffer from security issues, but they are all maintained by their respective projects. The FreeBSD Security Team is largely dependent upon receiving security advisories and patches from the "upstream" maintainers of this code and/or from other projects (e.g., Linux vendors) who use the same versions as we do; FreeBSD is now one of the last projects still supporting these versions, and as time passes it will become increasingly difficulty to continue to do so. Even with code written and maintained within the FreeBSD project it would be far from trivial to continue to support FreeBSD 4.x. FreeBSD 4.x has not been the target of new development in FreeBSD since March 2000; FreeBSD, like all free software projects, has constant turnover in its pool of developers, and it is often very difficult to find developers familiar with code in FreeBSD 4.x which has been replaced in newer FreeBSD releases. The FreeBSD project is reaching the point where it lacks the "institutional memory" needed to continue to support FreeBSD 4.x. In short: * FreeBSD is a volunteer project, and we don't want to volunteer to support FreeBSD 4.x beyond the scheduled EoL date of January 31st, 2007; * Even if we did want to support FreeBSD 4.x beyond that date, I'm not certain that we would be able to do so, given that both FreeBSD and the rest of the world has moved on; and * You've had lots of warning that this was going to happen, so it's a bit late to start complaining now. Colin Percival FreeBSD Security Officer -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (FreeBSD) iD8DBQFFNTHJFdaIBMps37IRAnPVAJ4yeeE+yFq8B2cJJJnMBHzInA7vtgCfXjOa x4J/fxk3XMgPrGw3In+mSAk= =no9w -----END PGP SIGNATURE-----