From owner-freebsd-security Wed Apr 11 11:13:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.epylon.com (sf-gw.epylon.com [63.93.9.98]) by hub.freebsd.org (Postfix) with ESMTP id D041B37B422 for ; Wed, 11 Apr 2001 11:13:38 -0700 (PDT) (envelope-from Jason.DiCioccio@Epylon.com) Received: by goofy.epylon.lan with Internet Mail Service (5.5.2653.19) id <2W45AMY0>; Wed, 11 Apr 2001 11:13:37 -0700 Message-ID: <657B20E93E93D4118F9700D0B73CE3EA0166D77F@goofy.epylon.lan> From: Jason DiCioccio To: 'Scott Johnson' , freebsd-security@freebsd.org Subject: RE: Security Announcements Date: Wed, 11 Apr 2001 11:13:35 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Scott, While I don't take your approach to maintaining my machines (I actually use -STABLE), I completely agree with you. I have encountered problems in -STABLE due to the given period of time that I simply cvsupped to it (getting -STABLE on a 'bad day').. Mind you, - -CURRENT has many more bad days than -STABLE does, but -STABLE definitely has them. And if every single machine on your network has to be up at all times, I would agree with your patching -RELEASE method. I'm sure many others take this path as well, and it seems a logical one. It's nice to have a choice. Perhaps patches to -RELEASE wouldn't come out as quickly as they would be commited to -STABLE (obviously) but I still think they should be released within a reasonable time-frame. For instance with NTP, I've seen about every other vendor release advisories/patches for xntpd except for us. Cheers, - -JD- - ------- Jason DiCioccio Evil Genius Unix BOFH mailto:jasond@epylon.com - ----Original Message----- From: Scott Johnson [mailto:sjohn@airlinksys.com] Sent: Wednesday, April 11, 2001 10:52 AM To: freebsd-security@freebsd.org Subject: Re: Security Announcements There is a difference between security fixes and a 'more low-key and conservative set of changes intended for our next mainstream release'. I maintain a single source tree for all of my machines. That source tree is 4.2-RELEASE + security patches. Things break in -STABLE despite the care taken in merging from -CURRENT; if I don't need features found only in - -STABLE, my preference is to trust more the long testing period of a - -RELEASE. While I could test stable on a spare box, that would be time-consuming and error-prone, since that box would have to emulate the designated tasks of all my machines. On the other hand, maintaining a - -STABLE source tree in addition to -RELEASE and selectively installing certain things like bind and ntp when the need arises may have problems because the -STABLE software is out of sync with the rest of the system. This also creates problems when building world with the -RELEASE tree, since some software should come from -STABLE. And when it comes down to it, I'd rather build just a kernel, or just a userspace program, and only when I have to, then rebuild everything on a semi-regular basis. I just want to add my voice as to how I use FreeBSD. Simply saying 'use - -STABLE' to those of us running -RELEASE on production systems isn't appropriate, since I believe we have valid reasons for running - -RELEASE on our systems. These security issues are not so frequent that providing patches for -RELEASE should be too burdensome. In fact, if -STABLE was fixed, the fix is already available and could be applied to -RELEASE with little or no modification. I've been pleased, actually, with how patches have been made available for -RELEASE until only recently, when both the bind and ntp vulnerabilities went by without patches. I thought, up till this discussion, that it was assumed that many run a -RELEASE, and that patches were supplied for that reason. I for one (and judging by the posts to this thread I'm not alone) use FreeBSD this way, and I ask that it be considered important to make security patches available for the latest - -RELEASE. Quoth Roberto Nunnari on Wed, Apr 11, 2001 at 02:00:26PM +0200: > stable is not pre-beta. > http://www.freebsd.org/handbook/current-stable.html > > ...cut and paste from the above: > > 19.2.2. Staying Stable with FreeBSD > > If you are using FreeBSD in a production environment and want to > make sure you have the latest fixes from the -CURRENT branch, you > want to be running -STABLE. This is the tree that -RELEASEs are > branched from when we are putting together a new release. For > example, if you have a copy of 3.4-RELEASE, that is really just a > ``snapshot'' from the -STABLE branch that we put on CDROM. In > order to get any changes merged into -STABLE after the -RELEASE, > you need to ``track'' the -STABLE branch. 19.2.2.1. What is > FreeBSD-STABLE? > > FreeBSD-STABLE is our development branch for a more low-key and > conservative set of changes intended for our next mainstream > release. Changes of an experimental or untested nature do not go > into this branch (see FreeBSD-CURRENT). - -- Scott Johnson System/Network Administrator Airlink Systems To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use iQA/AwUBOtSfeFCmU62pemyaEQIR6wCdHs0sQHk9embF6L/OJCvNcT+ROEcAnjzO VHCIoZYuo/e9tAqasm1wB2bp =qwCa -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message