Date: Mon, 16 Jun 2003 02:29:50 -0400 From: Bill Moran <wmoran@potentialtech.com> To: Thanjee Neefam <thanjee@fastmail.fm> Cc: freebsd-questions@freebsd.org Subject: Re: key barriers Message-ID: <3EED63DE.9040009@potentialtech.com> In-Reply-To: <20030616051310.41F5C6D729@smtp.us2.messagingengine.com> References: <20030616034216.AF44B341B4@www.fastmail.fm> <20030616051310.41F5C6D729@smtp.us2.messagingengine.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanjee Neefam wrote: > The key barrier to FreeBSD is java. I go to > http://www.freebsd.org/java/ and the main text says FreeBSD supports > 1.1.8, which isn't good enough for my needs. > > However, there is also a 1.4 link on that page, but that page says the > FreeBSD version is currently missing features. http://www.freebsd.org/ports/java.html I haven't used Java on FreeBSD much, but I didn't find anything missing when I did. I'm sure there are others better suited to answer this, however. > This is the second key issue. I know of someone who runs an old > open-source OS (about 3 versions behind the current), who doesn't know > how to patch his box unless he downloads 4 or so CDs. That box was > recently compromised and the fix that person performed was to rebuild > the machine with the same old OS, and recover data from tape. I can't imagine what that person was thinking? But you say "old open-source OS" ... if it was FreeBSD, then the admin was a fool. I have several boxes I admin, and keeping them up to date is easy. If you let a machine slip so far behind that you can't easily update it, then it's your own fault. If no security problems force you to update earlier, you should be able to update once a year with no problems and stay reasonably current. > I like being able to browse to www.debian.org/security and to know that > on certain days as many as 5 patches are released. And that with a > single command I can apply all the patches I need. > > Now, FreeBSD has a similar page freebsd.org/security but it doesn't list > as many bugs. Does that mean FreeBSD has fewer holes? I guess. If Debian's security page has more listed, then Debian has more holes. All the known holes in FreeBSD are listed there. > Or does it mean > it takes longer to fix them in FreeBSD? Heavens no. FreeBSD fixes problems as fast or faster than any other project I'm aware of. > Or that people are not testing > the security of BSD as much as Debian? Well, I don't know how much testing the Debian folks do, but FreeBSD is heavily used and abused by a lot of people. If security it a major concern, then you should use OpenBSD, which is the most secure system out there, period. > At the top of the debian security page is directions on how to apply all > relevent patches. There is no such information on the FreeBSD security > page (that I could see, correct me if I am wrong). Instead the > directions are attached to the Security Advisory, and involve > recompiling your operating-system/kernal and rebooting (at least it did > for the two I checked 'openssl' and 'syncookies' SA for 4.8 This is how things are done on FreeBSD. If you can apply a patch to the kernel without rebooting in Debian, then the Debian folks are far ahead of anything I've seen! Besides, different security issues may require different levels of activity to patch, so trying to give one set of rules for every single security patch would be difficult, impossible, or inaccurate. A patch to the kernel will definately require a reboot, while a patch to inetd would require rebuilding inetd and doing "killall inetd; inetd" and save you the reboot. Trying to make one set of instructions for all patches would have to be lowest common denominator, thus telling the user to reboot after patching inetd, when that's not needed. I've never had any complaints with the "upgrade your source to the latest security patch version, rebuild the OS and reboot" system of fixing flaws. On the slowest machines I admin, this can still be done before lunchtime and the actual downtime is less than 15 minutes. -- Bill Moran Potential Technologies http://www.potentialtech.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3EED63DE.9040009>