Date: Fri, 19 Apr 2002 08:04:01 -0300 From: "Mario Lobo" <Mlobo@ear.com.br> To: security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip Message-ID: <3CBFCF67.3119.3C78042@localhost> In-Reply-To: <4.3.2.7.2.20020418135706.02192c60@nospam.lariat.org> References: <20020418181744.45846.qmail@web14201.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I=B4ve been following this thread since it started and this is the DEFINIT= E exposition of the problem that Brett has been trying to show since the beginning. To anyone that that thinks there is not really an issue here, t= he last paragraph applies. Brett, you next step (if there is any next step) is to use apples and oran= ges!! Mario Lobo > Acutally, it doesn't. And it really hurts evangelism and new > adopters of FreeBSD. > > For example, here's a rough transcript of a conversation I recently > had with an admin who wanted to put up a FreeBSD server. > > Prospective user: FreeBSD sounds neat. How do I install it? > > Me: Well, it's really easy. You just put in the first install floppy, > boot the system, insert the second floppy when asked, and away you > go. You can get the release floppies at ftp://www.freebsd.org/. > > Prospective user: But I've heard that there were some security holes > and bugs discovered since then. How do I install a version with those > problems fixed? > > [What I'd like to say: Oh, that's simple. In the same directory > you'll see 4.5-RELEASE, 4.5-RELEASE-p1, 4.5-RELEASE-p2, et > cetera. Just get the floppies for the most recent one, and it > will have all the critical fixes. > > What I'd like to hear the prospective user say: This is great! > I'm glad that FreeBSD lives up to its reputation for being > easy to install.] > > What I have to say now: That's not so simple. First, you have > to install the last ful release, bugs and all. Then, you have > to use CVSup... > > Prospective user: What's that? > > Me: Well, it updates your source tree to include the latest fixes. > > Prospective user: Source tree? I'm not ready to play with the > source; I'm not familiar with the system yet, and I don't know > what this CVSup thing is. > > Me: Unfortunately, there's no other way to do it. You have to > get the latest source, using the tag RELENG_4_5, and then > do a "make world." > > Prospective user: What's a tag? How do I use it? And what's a > "make world?" And how do you find out the name "RELENG_4_5" > if you don't know it already? > > Me: Do you have about half an hour? I can teach you the basics > of CVSup.... > > Prospective user: Naah, never mind. This is more complicated than > I thought, and it's a lot more complicated than installing > Red Hat and installing the latest RPMs to fix the bugs. I just > wanted to download a version of the OS that's secure, but I > don't have time to learn about all this stuff you're talking > about right this minute. I guess I'll stick with {Win2K/Linux}. > > (End of dialogue) > > As you can see from the above, FreeBSD doesn't have a simple answer > to a simple, reasonable question: "How can I *just install* FreeBSD > with all of the latest security fixes on a new machine, without > walking off of a conceptual cliff?" > > We need to address this. Not only would it help newcomers; it would > also help admins who just want to do a quick, no-hassle upgrade that > includes the latest security fixes. We should NOT say, "the heck with > them if they're not willing to learn all sorts of developer stuff on > the spot." That's pointless elitism. And we shouldn't make it > unreasonably hard for admins to update... or they might not do it. > And then, when their systems are broken into, FreeBSD's reputation > as a secure OS suffers. > > --Brett Glass > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3CBFCF67.3119.3C78042>