From owner-freebsd-security Wed May 15 12:36:14 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [63.229.157.2]) by hub.freebsd.org (Postfix) with ESMTP id 4906D37B408 for ; Wed, 15 May 2002 12:36:04 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id NAA19333; Wed, 15 May 2002 13:35:40 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook may make your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020515132552.0313bbb0@nospam.lariat.org> X-Sender: brett@nospam.lariat.org X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 15 May 2002 13:35:35 -0600 To: Rob Andrews From: Brett Glass Subject: Re: Patch/Announcement for DHCPD remote root hole? Cc: security@FreeBSD.ORG In-Reply-To: <20020515120324.E69211@switchblade.cyberpunkz.org> References: <4.3.2.7.2.20020515101500.00e7fee0@nospam.lariat.org> <4.3.2.7.2.20020509175155.024efc00@nospam.lariat.org> <4.3.2.7.2.20020509175155.024efc00@nospam.lariat.org> <20020515105453K.matusita@jp.FreeBSD.org> <4.3.2.7.2.20020515101500.00e7fee0@nospam.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 11:03 AM 5/15/2002, Rob Andrews wrote: >Why is it that you complain about these same issues over and over >and get answers but seem to ignore them.. Not so. > A user that installs >a fresh system should always take the time to update a system >to the current cvs branch with the latest updates for either -stable >or -release. CVSup is a programmer's tool, not an administrator's tool. And it is certainly not a tool for newcomers. It makes the learning curve far too steep -- especially if the person doing the install is just learning UNIX. Use of CVSup should not be necessary to do a secure install of the system. Also, as I mentioned in an earlier message, there is absolutely no reason to supply buggy, dangerously insecure versions of packages by default. All we're doing is hurting users. >When you have a "release" version on CD you can't pull all those >cd's back in, make the changes and send them back out to the stores >now can you? No, but you can make it easy to update. In fact, there's good reason for /stand/sysinstall to take users out onto the Net and help them secure the system. Antivirus programs, which are also sold in CD form, do this. The vendor knows that the day after the CD is pressed (maybe even BEFORE the CD is pressed; it takes time to make a master), there's a new update. So, the first thing the program does is try to update itself via the Net. >Same logic applies to an ftp install of the released >version of FreeBSD. There's almost no reason -- ever! -- to do an FTP install of -RELEASE rather than -RELEASE-pN if patches exist. The FreeBSD Web site should steer those who are interested in installing via FTP to the latest patched release by default. Only if they *specifically ask for* the unpatched release should they get it. Otherwise, again, we are doing them a disservice and tarnishing FreeBSD's reputation. --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message