Date: Wed, 31 Jul 2013 14:15:23 +0300 From: Daniel Kalchev <daniel@digsys.bg> To: freebsd-stable@freebsd.org Subject: Re: Bind in FreeBSD, security advisories Message-ID: <51F8F1CB.20707@digsys.bg> In-Reply-To: <51F8B0E8.8090608@ShaneWare.Biz> References: <CAO%2BPfDctepQY0mGH7H%2BgOSm4HJwhe-RCND%2BmxAArnRxpWiCsjg@mail.gmail.com> <1375186900.23467.3223791.24CB348A@webmail.messagingengine.com> <51F7B5C7.6050008@digsys.bg> <CAOgwaMt4G02yhU0cbiq_EEwhi4=mgt2kLGJf0Rgb8t9wECsGJA@mail.gmail.com> <51F7C07C.9060606@digsys.bg> <op.w01e3qhl8527sy@ronaldradial.versatec.local> <51F7E352.30300@digsys.bg> <51F8B0E8.8090608@ShaneWare.Biz>
next in thread | previous in thread | raw e-mail | index | archive | help
On 31.07.13 09:38, Shane Ambler wrote: > On 31/07/2013 01:31, Daniel Kalchev wrote: > >> But here is an idea: Remove BIND from HEAD overnight and see how many >> will complain ;-) If nobody complains, don't put it back in. > > Or change the default to off. If you want bind add WITH_BIND=yes to > src.conf That is just as good solution as removing BIND from base. It is also easier and faster to ass it as package/point, instead of recompiling the whole base system. > > It's hard to say FreeBSD is a safe and secure OS when part of the base > install is always being shown to have security flaws. New features need > to prove they are reliable before they are accepted into a release yet > we allow something that has a long proven history of being a source of > security concerns. Stop right here! There is plenty of other software that is in base and is just as "buggy" or even more than BIND. BIND, by the way benefits from the fact that it runs on many other platforms and that those bugs are typically found there, not on FreeBSD. In contrast to that the "perfect FreeBSD only code" has bugs discovered only when someone stumbles on them in FreeBSD. > > For something that needs to be constantly updated in between system > updates then ports is the place to install it from. You don't have to update BIND constantly, especially if you are not using it. If you are using it, you will want it updated, no matter what. > > I think it is less about whether bind is useful and needs to be in base > and more about should every user of FreeBSD be open to security issues > or should a user have the option to say "yes I want potentially insecure > software on my machine". The ports system allows messages that make it > obvious to the user about security concerns. You are reading too much into that messages. FreeBSD is not bug free, nor is any other piece of code. > > How many people setup and use a FreeBSD machine without adding something > from ports or packages? Anyone who can, does prefer to not install any ports. I have over a dozens servers (and a gazillion jailed instances) that don't have one single port installed. I find this feature of FreeBSD especially appealing and something we should keep. By the way, for those inclined to ask me for statistics: this is my personal experience. It works for me. If you don't do that, it tells me nothing I care about. We might have different reasons to make different choices. Daniel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?51F8F1CB.20707>