From owner-freebsd-security  Thu Apr 18 11: 2:53 2002
Delivered-To: freebsd-security@freebsd.org
Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66])
	by hub.freebsd.org (Postfix) with ESMTP id 8812637B42B
	for <security@FreeBSD.ORG>; Thu, 18 Apr 2002 11:02:40 -0700 (PDT)
Received: from caddis.yogotech.com (caddis.yogotech.com [206.127.123.130])
	by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id MAA27732;
	Thu, 18 Apr 2002 12:02:38 -0600 (MDT)
	(envelope-from nate@yogotech.com)
Received: (from nate@localhost)
	by caddis.yogotech.com (8.11.6/8.11.6) id g3II2b225974;
	Thu, 18 Apr 2002 12:02:37 -0600 (MDT)
	(envelope-from nate)
From: Nate Williams <nate@yogotech.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <15551.2621.764783.518524@caddis.yogotech.com>
Date: Thu, 18 Apr 2002 12:02:37 -0600
To: Brett Glass <brett@lariat.org>
Cc: nate@yogotech.com (Nate Williams),
	David Wolfskill <david@catwhisker.org>, security@FreeBSD.ORG
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip
In-Reply-To: <4.3.2.7.2.20020418115527.021d9f00@nospam.lariat.org>
References: <4.3.2.7.2.20020418114128.02156980@nospam.lariat.org>
	<4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org>
	<4.3.2.7.2.20020418115527.021d9f00@nospam.lariat.org>
X-Mailer: VM 6.96 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid
Reply-To: nate@yogotech.com (Nate Williams)
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

> >Pray tell who is going to very that a snapshot is both 'known and good'?
> 
> That's not "known and good" -- it's "known TO BE good."

Same thing.  If it's good, and you have no way of getting the same
snapshot it doesn't help you.

> >Simply applying security patches doesn't (necessarily) qualify as giving
> >you your requirement,
> 
> Not if the version being used has also been altered in other ways.

Sure it does.  The security patch could break your running system,
because it may not have been tested in your exact configuration, on your
exact hardware.

> >This ain't rocket science here....
> 
> No, it's not. Other open source projects issue periodic "patch level N"
> snapshots between releases.

As does FreeBSD, if you'd get your head out of your butt and use it.


Nate

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message