From owner-freebsd-security Wed May 15 14:32:15 2002 Delivered-To: freebsd-security@freebsd.org Received: from uranium.dowco.com (uranium.dowco.com [209.87.128.101]) by hub.freebsd.org (Postfix) with ESMTP id CE7CF37B403 for ; Wed, 15 May 2002 14:32:02 -0700 (PDT) Received: from neptunium.dowco.com (root@neptunium.dowco.com [209.87.128.98]) by uranium.dowco.com (8.11.6/8.11.6) with ESMTP id g4FLVvs84939 for ; Wed, 15 May 2002 14:31:57 -0700 (PDT) (envelope-from mlafren@dowco.com) Received: from webmail.dowco.com (webmail.dowco.com [209.87.128.102]) by neptunium.dowco.com (8.12.2/8.12.2) with ESMTP id g4FLVvxg011681; Wed, 15 May 2002 14:31:57 -0700 (PDT) (envelope-from mlafren@dowco.com) Received: (from pop@localhost) by webmail.dowco.com (8.12.3/8.12.3/Submit) id g4FLVv1J011677; Wed, 15 May 2002 14:31:57 -0700 (PDT) (envelope-from mlafren@dowco.com) Date: Wed, 15 May 2002 14:31:57 -0700 (PDT) Message-Id: <200205152131.g4FLVv1J011677@webmail.dowco.com> From: "Michael Lafreniere" To: freebsd-security@FreeBSD.ORG Reply-To: mlafren@dowco.com Subject: RE: Patch/Announcement for DHCPD remote root hole? X-Mailer: NeoMail 0.82 X-IPAddress: 66.183.111.41 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, "CVSup is a programmer's tool, not an administrator's tool. And it is certainly not a tool for newcomers. It makes the learning curve far too steep -- especially if the person doing the install is just learning UNIX." Speak for yourself, cause you can't figure out CVS quickly doesn't mean "newcomers" can't. I'm a self proclaimed noob to freebsd, but took me 15mins to setup cron to do a weekly CVS update (now removed and only done when needed by hand). If you need help I can post some sites on how to quickly set it up :) Someone that can't figure this out shouldn't be admining boxes in the wild period. CVS is a programming AND admin tool. I've used it for 4-5 months now on the boxes I admin, so please correct your statement. How else am I to keep my source and ports up-to-date with FreeBSD? You must be running very insecure machines if you don't use CVS in an admin function to keep your machines updated :) I don't wanna be an arse but I've been following this list for over 6 months now and you seem to get stuck on the same issues over and over again. Even after you've gotten good solid answers. Listen, absorb for a day or two, then reply if you still disagree, you seem to fire from the hip more then thinking it over well. -Mike -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Brett Glass Sent: Wednesday, May 15, 2002 12:36 PM To: Rob Andrews Cc: security@FreeBSD.ORG Subject: Re: Patch/Announcement for DHCPD remote root hole? At 11:03 AM 5/15/2002, Rob Andrews wrote: >Why is it that you complain about these same issues over and over >and get answers but seem to ignore them.. Not so. > A user that installs >a fresh system should always take the time to update a system >to the current cvs branch with the latest updates for either -stable >or -release. CVSup is a programmer's tool, not an administrator's tool. And it is certainly not a tool for newcomers. It makes the learning curve far too steep -- especially if the person doing the install is just learning UNIX. Use of CVSup should not be necessary to do a secure install of the system. Also, as I mentioned in an earlier message, there is absolutely no reason to supply buggy, dangerously insecure versions of packages by default. All we're doing is hurting users. >When you have a "release" version on CD you can't pull all those >cd's back in, make the changes and send them back out to the stores >now can you? No, but you can make it easy to update. In fact, there's good reason for /stand/sysinstall to take users out onto the Net and help them secure the system. Antivirus programs, which are also sold in CD form, do this. The vendor knows that the day after the CD is pressed (maybe even BEFORE the CD is pressed; it takes time to make a master), there's a new update. So, the first thing the program does is try to update itself via the Net. >Same logic applies to an ftp install of the released >version of FreeBSD. There's almost no reason -- ever! -- to do an FTP install of -RELEASE rather than -RELEASE-pN if patches exist. The FreeBSD Web site should steer those who are interested in installing via FTP to the latest patched release by default. Only if they *specifically ask for* the unpatched release should they get it. Otherwise, again, we are doing them a disservice and tarnishing FreeBSD's reputation. --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message