From owner-freebsd-security  Wed May 15 12:25:48 2002
Delivered-To: freebsd-security@freebsd.org
Received: from lariat.org (lariat.org [63.229.157.2])
	by hub.freebsd.org (Postfix) with ESMTP
	id 2249937B406; Wed, 15 May 2002 12:25:44 -0700 (PDT)
Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [63.229.157.2])
	by lariat.org (8.9.3/8.9.3) with ESMTP id NAA19210;
	Wed, 15 May 2002 13:25:37 -0600 (MDT)
X-message-flag: Warning! Use of Microsoft Outlook may make your system susceptible to Internet worms.
Message-Id: <4.3.2.7.2.20020515132148.03139eb0@nospam.lariat.org>
X-Sender: brett@nospam.lariat.org
X-Mailer: QUALCOMM Windows Eudora Version 4.3.2
Date: Wed, 15 May 2002 13:25:33 -0600
To: "Jacques A. Vidrine" <nectar@FreeBSD.org>
From: Brett Glass <brett@lariat.org>
Subject: Re: Patch/Announcement for DHCPD remote root hole?
Cc: Makoto Matsushita <matusita@jp.FreeBSD.org>, security@FreeBSD.org
In-Reply-To: <20020515164555.GA33357@madman.nectar.cc>
References: <4.3.2.7.2.20020515101500.00e7fee0@nospam.lariat.org>
 <4.3.2.7.2.20020509175155.024efc00@nospam.lariat.org>
 <4.3.2.7.2.20020509175155.024efc00@nospam.lariat.org>
 <4.3.2.7.2.20020515101500.00e7fee0@nospam.lariat.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

At 10:45 AM 5/15/2002, Jacques A. Vidrine wrote:

>Careless system administrators / consultants are an even bigger
>security problem.

You're not careless if you expect the package to reflect the latest
version of the port. You're expecting something perfectly reasonable.

>If you install 4.5-RELEASE, you get packages that were generated for
>4.5-RELEASE.  Surprise.

Why? The packages, like the ports, are software that is not part of
FreeBSD. It makes sense to provide the latest versions of those
packages to anyone who's downloading.

I seem to recall that there's some way to tell /stand/sysinstall to
grab packages from -STABLE. But new users won't know that. (*I* don't
even remember what magic incantation you have to type in.) Best to
have the latest version of every package be the default, and to make
sure that the packages are kept up with the ports.

--Brett


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message