Date: Mon, 15 Dec 2014 22:50:24 -0800 From: "Chris H" <bsd-lists@bsdforge.com> To: <freebsd-stable@freebsd.org> Subject: Re: BIND chroot environment in 10-RELEASE...gone? Message-ID: <7b45af36d8b18292188ef78b427f6f52@ultimatedns.net> In-Reply-To: <CAN6yY1uuj7Jj65zOsKZ=3Uk3y-E300BeyY=NA9iU%2B%2Bn5CKBqyg@mail.gmail.com> References: <CAN6yY1sVGiQFNkoi0mGZs7grJ5SMAui-rDO1e8UDAs0PTUVL9g@mail.gmail.com> <alpine.BSF.2.00.1312031407090.78399@roadkill.tharned.org> <20131203.223612.74719903.sthaug@nethelp.no> <20141215.082038.41648681.sthaug@nethelp.no> <e209e27f9eb42850326f5a4df458722b@ultimatedns.net>, <CAN6yY1uuj7Jj65zOsKZ=3Uk3y-E300BeyY=NA9iU%2B%2Bn5CKBqyg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 15 Dec 2014 22:12:45 -0800 Kevin Oberman <rkoberman@gmail.com> wrote > On Mon, Dec 15, 2014 at 8:24 PM, Chris H <bsd-lists@bsdforge.com> wrote: > > > On Mon, 15 Dec 2014 08:20:38 +0100 (CET) sthaug@nethelp.no wrote > > > > > > > > It was a deliberate decision made by the maintainer. He said the > > chroot > > > > > > code in the installation was too complicated and would be removed > > as a > > > > > > part of the installation clean-up to get all BIND related files > > out of > > > > > > /usr and /etc. I protested at the time as did someone else, but the > > > > > > maintainer did not respond. I thnk this was a really, really bad > > > > > > decision. > > > > > > > > > > > > I searched a bit for the thread on removing BIND leftovers, but > > have > > > > > > failed to find it. > > > > > > > > > > > > > > > > You're probably thinking about my November 17 posting: > > > > > > > > > > > > http://lists.freebsd.org/pipermail/freebsd-stable/2013-November/075895.html > > > > > > > > > > I'm glad to see others finally speaking up; I was beginning to think > > I > > > > > was the only one who thought this was not a good idea. I'm a bit > > > > > surprised that no one has responded yet. > > > > > > > > I agree with the protesters here. Removing chroot and symlinking logic > > > > in the ports is a significant disservice to FreeBSD users, and will > > > > make it harder to use BIND in a sensible way. A net disincentive to > > > > use FreeBSD :-( > > > > > > I have now installed my first 10.1 based name server. I had to spend > > > some hours to recreate the changeroot environment that I had so easily > > > available in FreeBSD up to 9.x. > > > > > > <rant> > > > Removing the changeroot environment and symlinking logic is a net > > > disservice to the FreeBSD community, and disincentive to use FreeBSD. > > > </rant> > > In all fairness (is there even such a thing?); > > "Convenience" is a two-way street. For each person that thinks > > the BIND chroot(8) mtree(8) symlink(2) was a great "service". There > > are at *least* as many whom feel differently. I chose to remove/disable > > the BIND, from BASE, some time ago. As it wasn't "convenient" to have > > to overcome/deal with the CVE/security issues. In the end, I was forced > > to re-examine some of the other resolvers, that ultimately, only proved > > to be better choice(s). > > > > Just sayin' > > > > --Chris > > > > Please don't conflate issues. Moving BIND out of the base system is > something long overdue. I know that the longtime BIND maintainer, Doug B, > had long felt it should be removed. This has exactly NOTHING to do with > removing the default chroot installation. The ports were, by default > installed chrooted. Jailed would have been better, but it was not something > that could be done in a port unless the jail had already been set up. > chroot is still vastly superior to not chrooted Agreed. > and I was very distressed > to see it go from the ports. > > Disclaimer, since I retired I am no longer running a DNS server, so this > had no impact on me. I simply see it as an unfortunate regression. In the end I was forced to explore other avenues I probably wouldn't have taken the time to do (then). In the end, I was all the better for having done so. The same might also be said for chroot v. jail v {...} It wasn't my intention to "pick" on any app/policy, per se; --Chris > -- > Kevin Oberman, Network Engineer, Retired > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7b45af36d8b18292188ef78b427f6f52>