From owner-freebsd-security Wed May 15 21:59:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.lambertfam.org (www.lambertfam.org [216.223.196.6]) by hub.freebsd.org (Postfix) with ESMTP id 5267537B407 for ; Wed, 15 May 2002 21:59:25 -0700 (PDT) Received: from localhost.localdomain (localhost [127.0.0.1]) by localhost.inch.com (Postfix) with ESMTP id 8879C3501F for ; Thu, 16 May 2002 00:57:07 -0400 (EDT) Received: from laptop.lambertfam.org (TC1-dial-24-195.oldslip.inch.com [216.223.195.24]) by mail.lambertfam.org (Postfix) with ESMTP id 3230335019 for ; Thu, 16 May 2002 00:57:01 -0400 (EDT) Received: by laptop.lambertfam.org (Postfix, from userid 1000) id 0E17028B09; Thu, 16 May 2002 00:59:10 -0400 (EDT) Date: Thu, 16 May 2002 00:59:10 -0400 From: Scott Lambert To: security@FreeBSD.ORG Subject: Re: Patch/Announcement for DHCPD remote root hole? Message-ID: <20020516045909.GC7616@laptop.lambertfam.org> Reply-To: security@FreeBSD.ORG Mail-Followup-To: security@FreeBSD.ORG References: <4.3.2.7.2.20020515101500.00e7fee0@nospam.lariat.org> <4.3.2.7.2.20020509175155.024efc00@nospam.lariat.org> <4.3.2.7.2.20020509175155.024efc00@nospam.lariat.org> <20020515105453K.matusita@jp.FreeBSD.org> <4.3.2.7.2.20020515101500.00e7fee0@nospam.lariat.org> <4.3.2.7.2.20020515132552.0313bbb0@nospam.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4.3.2.7.2.20020515132552.0313bbb0@nospam.lariat.org> User-Agent: Mutt/1.3.28i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, May 15, 2002 at 01:35:35PM -0600, Brett Glass wrote: > > Also, as I mentioned in an earlier message, there is absolutely no > reason to supply buggy, dangerously insecure versions of packages > by default. All we're doing is hurting users. Sure there is. When you install release, you know you are getting a certain level of code. It makes support more consistent. > No, but you can make it easy to update. In fact, there's good reason > for /stand/sysinstall to take users out onto the Net and help them > secure the system. > > Antivirus programs, which are also sold in CD form, do this. The vendor > knows that the day after the CD is pressed (maybe even BEFORE the CD > is pressed; it takes time to make a master), there's a new update. So, > the first thing the program does is try to update itself via the Net. You are right, but it's not sysinstalls job to do this. This is portupgrade's job. Until we get binary patch kits, we just can't do the same thing for the OS. I am assuming that someone has taken the trouble of diff'ing the install images between patch levels to see how many files, and what that translates to in megabytes, would be required for a tarball that just unpacks over all changed files. I am also assuming that it is prohibitively large since it is a simple, brute force method. My iBook came with OS X 10.1.1. I had to download 40 MB of patches to get to 10.1.2. Reboot. Download 5 MB of patches to get to 10.1.3. Reboot. Download 2.5MB of patches to get to 10.1.4. That's not counting the updates to the included software. The last time I installed Solaris, it was a similar process except that the patch sets always got larger due to their cumulative nature. You can hunt down the individual patches but the sysadmins you are talking about couldn't be bothered with that. OS/2 was the same way. > There's almost no reason -- ever! -- to do an FTP install of -RELEASE > rather than -RELEASE-pN if patches exist. The FreeBSD Web site should > steer those who are interested in installing via FTP to the latest > patched release by default. Only if they *specifically ask for* the > unpatched release should they get it. Otherwise, again, we are doing > them a disservice and tarnishing FreeBSD's reputation. Supply the hardware. Fund the development. Get your newbie sysadmins to fund it. They are the ones who need these features, let them pay for it. It sounds great. But, it is going to take several hours of somebody's "quality time with the kids" to code it up. That's why it probably won't happen without funding. If you get started on the process now, it might be ready for 5.0. Maybe. Rather than ranting on the lists, your time might be better spent fund- raising so that the issues you want resolved can get the attention you think they should get. Installation and maintenance are hard for commercial vendors to get right. -- Scott Lambert KC5MLE Unix SysAdmin lambert@lambertfam.org http://www.lambertfam.org/~lambert/resume.html 3 years Sr. SysAdmin experience with FreeBSD in small & medium size ISPs. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message