Date: Mon, 11 Dec 2017 08:39:02 -0800 From: "Chris H" <portmaster@BSDforge.com> To: "Matt Smith" <matt.xtaz@gmail.com> Cc: "Adam Weinberger" <adamw@adamw.org>, <sgk@troutmask.apl.washington.edu>, <freebsd-ports@freebsd.org> Subject: Re: Procmail Vulnerabilities check Message-ID: <32da0142ef01d545aff61de3a3946d62@udns.ultimatedns.net> In-Reply-To: <20171211111031.GA92072@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 11 Dec 2017 11:10:32 +0000 "Matt Smith" <matt=2Extaz@gmail=2Ecom> said > On Dec 10 14:58, Chris H wrote: > >OK I'm puzzled a bit=2E FreeBSD' motto has always been: > >FreeBSD > >The power to serve! > > > >but many of the proposed, and recent changes/removals end up more like: > >FreeBSD > >I's castrated! >=20 > The problem with software in the base is that it is *much* more=20 > difficult to update to add new features or patch security issues=2E With a= =20 > port the software will be updated relatively quickly=2E And users can get= =20 > the benefits of that with a quick pkg upgrade=2E They might not update=20 > their O/S for 6-12 months=2E >=20 > In my opinion any software which is accessible to the internet should be= =20 > patched and upgraded ASAP=2E It's for this reason that I've always=20 > disabled things like OpenSSH/OpenSSL/ntpd etc in the base and used port= =20 > versions instead=2E I applaud that attitude=2E I couldn't agree more=2E For that same reason, I (not unlike you) have always excluded software that history has proven to pose security risks ( WITHOUT_BIND=3Dtrue ) for example=2E The same can al= so *easily* be said of OpenSSL=2E However, the same argument can't be made for Sendmail=2E Further, if I take your argument to it's logical end=2E I am left with only the kernel? At what point is enough, enough? Is the new pkg(8) system simply an attempt to make FreeBSD the new Debian? Where everything is installed via (a) pkg? I *dearl= y* hope not=2E The thought makes me shudder=2E Not that I hate Debian/Linux=2E Just that I *prefer* FreeBSD, or at least a *BSD=2E Taking that thought a bit furt= her; if the majority of people install their systems via packages, that makes fo= r a fairly common FreeBSD base across all users=2E Speaking (again) of security= ; doesn't this lower the bar for entry for hacking the FreeBSD (user) base? IOW if the majority installs their systems via packages, their systems will all be *quite* similar=2E If I, an evil hacker, *knows* of an entry point/fla= w/=2E=2E=2E Then I can take down a *much* larger portion of FreeBSD users, than was usually available to me=2E *This* point alone, seems the biggest argument *against* "packaging everything"=2E IOW because it's easier, does *not* make it better=2E In the big scheme of things, it really makes it *lazier*=2E Or at least makes it easier to be so=2E One *could* argue that it *encourages* it=2E But I'm only speaking from decades of support/IT work=2E I *know* it's true, and I'm *not* suggesting that FreeBSD is *advocating it*=2E Only that (my) history, and experience proves that it is largely human nature to take the least line of resistance=2E Which in this case says history will show that th= e addition of a packaged system will raise number of people vulnerable to threat=2E In closing, and more to the point regarding Sendmail; Sendmail has a nearly impeccable security record in at the last decade=2E It provides a *secure*, more powerful, and more flexible MX on the cheap=2E I see little reason to consider it an attack vector=2E Which makes *security*, and it's related maintenance a pretty poor argument, for it's removal=2E --Chris >=20 > --=20 > Matt
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?32da0142ef01d545aff61de3a3946d62>