From owner-freebsd-security Thu Apr 18 9:19:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from bunrab.catwhisker.org (adsl-63-193-123-122.dsl.snfc21.pacbell.net [63.193.123.122]) by hub.freebsd.org (Postfix) with ESMTP id C995F37B417 for ; Thu, 18 Apr 2002 09:18:58 -0700 (PDT) Received: from bunrab.catwhisker.org (localhost [127.0.0.1]) by bunrab.catwhisker.org (8.12.2/8.12.2) with ESMTP id g3IGIwZG029031; Thu, 18 Apr 2002 09:18:58 -0700 (PDT) (envelope-from david@bunrab.catwhisker.org) Received: (from david@localhost) by bunrab.catwhisker.org (8.12.2/8.12.2/Submit) id g3IGIwkd029030; Thu, 18 Apr 2002 09:18:58 -0700 (PDT) Date: Thu, 18 Apr 2002 09:18:58 -0700 (PDT) From: David Wolfskill Message-Id: <200204181618.g3IGIwkd029030@bunrab.catwhisker.org> To: brett@lariat.org, schulte+freebsd@nospam.schulte.org, security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip In-Reply-To: <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Date: Thu, 18 Apr 2002 10:10:15 -0600 >From: Brett Glass >At 11:11 PM 4/17/2002, Christopher Schulte wrote: >>You can synchronize your source tree and recompile. See: >>http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/synching.html >Alas, this is not an acceptable solution. >I realize that many people use FreeBSD on non-mission-critical systems, or >to tinker with, and can afford downtime. But we need to create and maintain >production machines. >I hope that you can understand that doing a CVSup and then rebuilding the >world every night (slowing the system to a crawl in the process and >creating a system which might or might not be 100% stable) is not an >acceptable solution. Nor is downloading a random snapshot. (Which one >can't seem to do anyway these days; releng4.freebsd.org is refusing That is irrelevant and specious. If you have systems that are that important to you -- and I do, even here at home -- then acquire a machine to do the builds, and then use some method other than "build in place" to install the result. In some cases, that could be NFS (perhaps over a special network dedicated to such tasks); in others, it could be using such capabilities as provided by atacontrol to insert a drive with a system image while the target system remains up and running. In neither case is the target system required to do the builds (and consume the time and other resources necessary). >What is needed is a known good "p3" (or "p-whatever") build that can be >installed quickly with minimum downtime. Yet, despite the fact that >people routinely refer to (for example) "4.5-RELEASE-p3", no such build >seems to actually exist. For those of us who create and manage production >servers, there should be. Patches? Thanks.... Cheers, david (links to my resume at http://www.catwhisker.org/~david) -- David H. Wolfskill david@catwhisker.org Based on my experience as a computing professional, I consider the use of Microsoft products as components of computing systems to be just as advisable as using green wood to frame a house... and expect similar results. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message