From owner-freebsd-stable@FreeBSD.ORG Tue Dec 16 06:50:09 2014 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E73DBD62 for ; Tue, 16 Dec 2014 06:50:08 +0000 (UTC) Received: from udns.ultimatedns.net (unknown [IPv6:2602:d1:b4d6:e600:4261:86ff:fef6:aa2a]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B245CEA9 for ; Tue, 16 Dec 2014 06:50:08 +0000 (UTC) Received: from ultimatedns.net (localhost [127.0.0.1]) by udns.ultimatedns.net (8.14.9/8.14.9) with ESMTP id sBG6oOi7001116 for ; Mon, 15 Dec 2014 22:50:24 -0800 (PST) (envelope-from bsd-lists@bsdforge.com) To: In-Reply-To: References: <20131203.223612.74719903.sthaug@nethelp.no> <20141215.082038.41648681.sthaug@nethelp.no> , From: "Chris H" Subject: Re: BIND chroot environment in 10-RELEASE...gone? Date: Mon, 15 Dec 2014 22:50:24 -0800 Content-Type: text/plain; charset=UTF-8; format=fixed MIME-Version: 1.0 Message-id: <7b45af36d8b18292188ef78b427f6f52@ultimatedns.net> Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Dec 2014 06:50:09 -0000 On Mon, 15 Dec 2014 22:12:45 -0800 Kevin Oberman wrote > On Mon, Dec 15, 2014 at 8:24 PM, Chris H wrote: > > > On Mon, 15 Dec 2014 08:20:38 +0100 (CET) sthaug@nethelp.no wrote > > > > > > > > It was a deliberate decision made by the maintainer. He said the > > chroot > > > > > > code in the installation was too complicated and would be removed > > as a > > > > > > part of the installation clean-up to get all BIND related files > > out of > > > > > > /usr and /etc. I protested at the time as did someone else, but the > > > > > > maintainer did not respond. I thnk this was a really, really bad > > > > > > decision. > > > > > > > > > > > > I searched a bit for the thread on removing BIND leftovers, but > > have > > > > > > failed to find it. > > > > > > > > > > > > > > > > You're probably thinking about my November 17 posting: > > > > > > > > > > > > http://lists.freebsd.org/pipermail/freebsd-stable/2013-November/075895.html > > > > > > > > > > I'm glad to see others finally speaking up; I was beginning to think > > I > > > > > was the only one who thought this was not a good idea. I'm a bit > > > > > surprised that no one has responded yet. > > > > > > > > I agree with the protesters here. Removing chroot and symlinking logic > > > > in the ports is a significant disservice to FreeBSD users, and will > > > > make it harder to use BIND in a sensible way. A net disincentive to > > > > use FreeBSD :-( > > > > > > I have now installed my first 10.1 based name server. I had to spend > > > some hours to recreate the changeroot environment that I had so easily > > > available in FreeBSD up to 9.x. > > > > > > > > > Removing the changeroot environment and symlinking logic is a net > > > disservice to the FreeBSD community, and disincentive to use FreeBSD. > > > > > In all fairness (is there even such a thing?); > > "Convenience" is a two-way street. For each person that thinks > > the BIND chroot(8) mtree(8) symlink(2) was a great "service". There > > are at *least* as many whom feel differently. I chose to remove/disable > > the BIND, from BASE, some time ago. As it wasn't "convenient" to have > > to overcome/deal with the CVE/security issues. In the end, I was forced > > to re-examine some of the other resolvers, that ultimately, only proved > > to be better choice(s). > > > > Just sayin' > > > > --Chris > > > > Please don't conflate issues. Moving BIND out of the base system is > something long overdue. I know that the longtime BIND maintainer, Doug B, > had long felt it should be removed. This has exactly NOTHING to do with > removing the default chroot installation. The ports were, by default > installed chrooted. Jailed would have been better, but it was not something > that could be done in a port unless the jail had already been set up. > chroot is still vastly superior to not chrooted Agreed. > and I was very distressed > to see it go from the ports. > > Disclaimer, since I retired I am no longer running a DNS server, so this > had no impact on me. I simply see it as an unfortunate regression. In the end I was forced to explore other avenues I probably wouldn't have taken the time to do (then). In the end, I was all the better for having done so. The same might also be said for chroot v. jail v {...} It wasn't my intention to "pick" on any app/policy, per se; --Chris > -- > Kevin Oberman, Network Engineer, Retired > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"