Date: Wed, 27 Sep 2000 16:38:11 -0500 (CDT) From: Mike Silbersack <silby@silby.com> To: Kris Kennaway <kris@FreeBSD.org> Cc: sigma@pair.com, freebsd-security@freebsd.org, green@Freebsd.org Subject: Re: Status of FreeBSD-SA-00:41.elf? Message-ID: <Pine.BSF.4.21.0009271538380.52470-100000@achilles.silby.com> In-Reply-To: <Pine.BSF.4.21.0009271256570.81104-100000@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 27 Sep 2000, Kris Kennaway wrote: > The issue is that most FreeBSD developers do not have a 3.5 machine > available for testing - BSDi were supposed to be setting up one for us to > use but it has not yet come through. This makes it very hard to test > security fixes to the 3.5 branch so we don't break it by just committing > blindly (in fact, I think we should officially drop security support for > the 3.x branch because in practise it's not being supported for security > fixes). I believe the problem is still not fixed in 3.5-STABLE at this > time. One of the features of FreeBSD which I've found appealing in comparison to the linuxes I've seen is the relative ease of upgrade and assurance that your base system is secure after a simple buildworld/installworld. I think that losing this feature for any version more than three months old would be a serious blow to the confidence of FreeBSD users everywhere. I can't fault the developers for having personal boxes running 4+, I myself made the same move. However, I find it hard to believe that BSDi can't find the resources to setup a single 3.x box. After all, 3.5.1 is still being sold at freebsdmall.com, with the prominent "brought to you by BSDi" logo at the top of the page. Surely the proceeds from the CD sales will at least cover the cost of a tiny celeron/duron system. OTOH, if the lack of a box is really a metaphor for the security team being overworked, perhaps perusing a solution similar to how OpenSSH is developed is a good long-term strategy. After fully debugging and fixing a vulnerability in the current-stable release, a group of developers interested in maintaining older -stables can be given the same information/exploits/etc so that they can modify patches to fix their releases of interest. Perhaps pair or some other provider dependant on 3.x could setup a box and organize this kind of group. Undoubtedly, I'm oversimplifying the issues here. However, the likelyhood remains that if 3.x is abandoned, users may react by leaving FreeBSD rather than upgrading to 4.x. Getting this situation resolved is in everyone's best interests. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0009271538380.52470-100000>