From owner-freebsd-questions Sun Jul 29 1:45:21 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mail.freebsd-corp-net-guide.com (mail.freebsd-corp-net-guide.com [206.29.169.15]) by hub.freebsd.org (Postfix) with ESMTP id 5445E37B403 for ; Sun, 29 Jul 2001 01:45:17 -0700 (PDT) (envelope-from tedm@toybox.placo.com) Received: from tedm.placo.com (nat-rtr.freebsd-corp-net-guide.com [206.29.168.154]) by mail.freebsd-corp-net-guide.com (8.11.1/8.11.1) with SMTP id f6T8jF859520; Sun, 29 Jul 2001 01:45:15 -0700 (PDT) (envelope-from tedm@toybox.placo.com) From: "Ted Mittelstaedt" To: "unknown source" , Subject: RE: Would it be so hard? Date: Sun, 29 Jul 2001 01:45:14 -0700 Message-ID: <005d01c1180a$c940eee0$1401a8c0@tedm.placo.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0 Importance: Normal Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG >-----Original Message----- >From: owner-freebsd-questions@FreeBSD.ORG >[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of unknown source >Sent: Sunday, July 29, 2001 1:09 AM >To: freebsd-questions@FreeBSD.ORG >Subject: Would it be so hard? > > >Would it be so hard to have patched iso images of freebsd kinda like a mini >release I guess. Im sure you want support? Yes it would. While the telnetd vulnerability is only one file - telnetd - and thus it would not be that difficult to remake the ISO, the Project already did a binary-only patch to 4.3-RELEASE. Many other security issues are more serious and involve more files - take a look at BIND in 4.2-RELEASE for example. Regenerating an ISO is a lot of work being diverted from effort on the next release. Furthermore it just provokes people to download the entire ISO instead of just the patch, which wastes an enormous amount of bandwidth. For this hole, patching 4.3-RELEASE is a binary-only operation that doesen't even run the compiler or require the source to be installed. Patching any 4.X that's earlier than that only requires that sysinstall be run and the /usr/libexec sources to be installed, followed by the source patch followed by a 'make install' This is not too hard to ask anybody to do. Consider there's only a finite amount of bandwidth available to the FTP servers. Distributing this as a patch that only takes a few seconds to download maximizes the number of FreeBSD users that can get their system patched in a timely manner. This tremendously increases the rate at which vulnerable systems are taken offline, which discourages wannabies from attempting to attack large numbers of FreeBSD systems, which decreases the risk to everybody. Well I have tried that I >purchased the 4.2 powerpack and then purchased 4.3 for what? By the time I >got them I has to patch the kernel now that reminds me of M$ you buy and buy >and buy but you never have the latest and its never secure. >It really is a pain to have to patch the kernel three or four times after an >install from the iso Wake up, this is going to be the norm for ALL operating systems. There's a veritable army of crackers out there and a much larger number of wannabie crackers who are all looking for a little recognition by breaking into systems. They are using more and more sophisticated tools to find more and more holes and those holes are going to be discovered at a faster and faster rate. It's simply impractical to base your release schedule around when the next bed-wetting cracker wannabie plans to distribute their crack script that they found. >not to mention all the ports that you will have to fix That is NOT the FreeBSD Project's responsibility, that's the port maintainers responsibility. And even if the Project was making a new ISO every time there was a security hole, there's no guarentee that the port maintainers of every port in BSD would agree to release updated ports for all the security releases. >the latest I could find on the -stable or releng branches is 20010721 which >would need one core and one port patched to be secure if I could figure out >how to make an iso out of it I have seen a japan ftp server that has weekly >iso's but I dont speak that language is there just no interest in being able >to do a fresh install from a bootable CD that is stable and secure? in the Not if it requires sacrificing all the other users to do it. Ted Mittelstaedt tedm@toybox.placo.com Author of: The FreeBSD Corporate Networker's Guide Book website: http://www.freebsd-corp-net-guide.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message