From owner-freebsd-security Mon Oct 2 15:46:12 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.rpi.edu (mail.rpi.edu [128.113.100.7]) by hub.freebsd.org (Postfix) with ESMTP id 4FBB137B502 for ; Mon, 2 Oct 2000 15:46:09 -0700 (PDT) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail.rpi.edu (8.9.3/8.9.3) with ESMTP id SAA415612; Mon, 2 Oct 2000 18:43:19 -0400 Mime-Version: 1.0 X-Sender: drosih@mail.rpi.edu Message-Id: In-Reply-To: References: Date: Mon, 2 Oct 2000 18:43:18 -0400 To: James Wyatt , Poul-Henning Kamp From: Garance A Drosihn Subject: Re: ftpd bug in FreeBSD through at least 3.4 Cc: Brett Glass , "Chris D . Faulhaber" , security@FreeBSD.ORG Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 4:30 PM -0500 10/2/00, James Wyatt wrote: >On Mon, 2 Oct 2000, Poul-Henning Kamp wrote: > > James Wyatt writes: > > > Are you saying that if we found a terrible bug (not this easy > > > one) somewhere critical in 3.5.%d, we'd all have to immediatly > > > upgrade? - Jy@ > > > > Yes, I am saying that. > >Then why is Walnut Creek CDROM still selling it as a current product? >I don't see Fry's selling older copies of Windows 3.* or DOS 3/4/5, >do you? > >I know there are two forks of FreeBSD - active and stable. That's >great for making "leading-edge v.s. state-of-the-art" decisions, >but even the palace at Redmond will give me free fixes for Win95 >security bugs. (Some think of it as a quantity discount as bug >counts go infinite, price goes to zero. (^_^) I am not sure why this particular teapot is seeing a tempest right now. Depending on the situation, freebsd 3.x-stable may very well see some updates. Once it sees an update, then people will have to upgrade to get that update. That may mean someone running 3.2 will suddenly have to upgrade to 3.x-stable. How do you expect updates to work, if you are not expecting to upgrade to get those updates? We are not going to release 3.2.1 to fix a bug in ftpd, just because some people might find it more convenient than having to upgrade from 3.2 to 3.5 (or whatever release we're up to there). As time goes on, it will be less and less likely that even 3.x-stable will get updates, because it will be so far behind whatever "today's stable" is. As time goes on, a fix written for "today's stable" will not even apply to 3.x-stable, which means that a DIFFERENT update will need to be written. And if it's a different update, then we need a different path to test that update out. The farther behind you are from "today's stable", the more likely that it will be too much work for the project to provide a reliable (tested) security fix to some ancient release of the system. People who really are serious about tracking security fixes should realize that they DO have to keep upgrading their OS. Discussions about "inconvenience" are silly in that context. They will find it a lot more inconvenient to be broken into. If you find that a problem, then buy a support contract. I am sure that BSDi (among others) will be just as happy to charge you for support as Microsoft has been.... Also note that Microsoft CHARGED YOU for support (directly or indirectly) when you first got the OS. That's why they might have more resources to provide support as your OS gets long in the tooth. --- Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu Senior Systems Programmer or drosih@rpi.edu Rensselaer Polytechnic Institute To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message