From owner-freebsd-security  Thu Apr 18 11: 0:47 2002
Delivered-To: freebsd-security@freebsd.org
Received: from lariat.org (lariat.org [12.23.109.2])
	by hub.freebsd.org (Postfix) with ESMTP id E9B9E37B42A
	for <security@FreeBSD.ORG>; Thu, 18 Apr 2002 11:00:23 -0700 (PDT)
Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2])
	by lariat.org (8.9.3/8.9.3) with ESMTP id MAA18244;
	Thu, 18 Apr 2002 12:00:13 -0600 (MDT)
X-message-flag: Warning! Use of Microsoft Outlook may make your system susceptible to Internet worms.
Message-Id: <4.3.2.7.2.20020418115527.021d9f00@nospam.lariat.org>
X-Sender: brett@nospam.lariat.org
X-Mailer: QUALCOMM Windows Eudora Version 4.3.2
Date: Thu, 18 Apr 2002 12:00:07 -0600
To: nate@yogotech.com (Nate Williams)
From: Brett Glass <brett@lariat.org>
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip
Cc: David Wolfskill <david@catwhisker.org>, security@FreeBSD.ORG
In-Reply-To: <15551.1949.581870.277391@caddis.yogotech.com>
References: <4.3.2.7.2.20020418114128.02156980@nospam.lariat.org>
 <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org>
 <4.3.2.7.2.20020418114128.02156980@nospam.lariat.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

At 11:51 AM 4/18/2002, Nate Williams wrote:

>Pray tell who is going to very that a snapshot is both 'known and good'?

That's not "known and good" -- it's "known TO BE good."

>Simply applying security patches doesn't (necessarily) qualify as giving
>you your requirement,

Not if the version being used has also been altered in other ways.

>This ain't rocket science here....

No, it's not. Other open source projects issue periodic "patch level N"
snapshots between releases. If a significant security event occurs,
FreeBSD should as well. Pick a snapshot after the fixes have gone in,
test it, and post it as the next patch level... one that's a relatively
safe bet for an admin to upgrade to. In other words, you should be
able to go to the download site and actually find a build labeled
FreeBSD 4.5-RELEASE-p3.

--Brett


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message