From owner-freebsd-security  Sat Dec 16 11:50:55 2000
From owner-freebsd-security@FreeBSD.ORG  Sat Dec 16 11:50:53 2000
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2])
	by hub.freebsd.org (Postfix) with ESMTP id F391B37B400
	for <security@FreeBSD.ORG>; Sat, 16 Dec 2000 11:50:52 -0800 (PST)
Received: from bsdie.rwsystems.net([209.197.223.2]) (2278 bytes) by bsdie.rwsystems.net
	via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp
	(sender: <jwyatt@rwsystems.net>) 
	id <m147NM0-000CDFC@bsdie.rwsystems.net>
	for <security@FreeBSD.ORG>; Sat, 16 Dec 2000 13:50:48 -0600 (CST)
	(Smail-3.2.0.111 2000-Feb-17 #1 built 2000-Jun-25)
Date: Sat, 16 Dec 2000 13:50:46 -0600 (CST)
From: James Wyatt <jwyatt@rwsystems.net>
To: Roman Shterenzon <roman@xpert.com>
Cc: James Lim <jameslpin@pacific.net.sg>, security@FreeBSD.ORG
Subject: Re: Security Update Tool..
In-Reply-To: <Pine.LNX.4.30.0012161727030.32357-100000@jamus.xpert.com>
Message-ID: <Pine.BSF.4.10.10012161217090.29496-100000@bsdie.rwsystems.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Sat, 16 Dec 2000, Roman Shterenzon wrote:
> On Sat, 16 Dec 2000, James Lim wrote:
> >         Seems like today we have 2 ideas, ports autoupdate utility (
> > security checks too ) as well as for the src base itself?
> ports auto-update is BAD, BAD, BAD.
> 1) don't fix what's not broken
> 2) newer versions tend to be more bloated and more prone to bugs.

 1) This is to fix what *is* broken, isn't it?
 2) sometimes - depends on what the update does and who's developing. Many
of the wuftpd updates make it better even if checking for bounds causes
code bloat. (^_^) Major reconstructs commonly have more bugs than fixes,
but I've seen quite a few simple updates that fix something that needed to
be fixed ASAP. A smoke alarm for these could be great!

Several folks have pointed-out that automagic updates would be "bad", but
something that just let you know when you should look at upgrading
something would be great. Some folks see how cool Windows update works,
some folks see it could be deadly - it's both and we could do better. The
thing I like least about it is that I can't keep a copy of the update
files so I can fix several hosts or rebuild broken ones w/o going through
the whole site again.

I don't like automagic rebuilds of ports because several of my ports have
twists in them for local alterations. For example, I needed to modify both
smail and cucipop for adding whosond support to prevent relaying but allow
my users to roam freely. Auto remakes would likely die on patching or
screw things up more than I could quickly notice, figure out, and fix.

Of course, like many, I have more ideas than patches... - Jy@



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message