Date: Wed, 27 Sep 2000 23:41:58 +0200 (SAST) From: Justin Stanford <jus@security.za.net> To: Mike Silbersack <silby@silby.com> Cc: Kris Kennaway <kris@FreeBSD.org>, sigma@pair.com, freebsd-security@FreeBSD.org, green@FreeBSD.org Subject: Re: Status of FreeBSD-SA-00:41.elf? Message-ID: <Pine.BSF.4.21.0009272341000.73602-100000@fyre.somcol.co.za> In-Reply-To: <Pine.BSF.4.21.0009271538380.52470-100000@achilles.silby.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Perhaps some kind soul with a little extra bandwidth and processing power/ram could offer to setup a jail'd machine on one of their arb boxes to run 3.x on for the developers? Mike's right, it is in the best interests of FreeBSD. Regards, jus On Wed, 27 Sep 2000, Mike Silbersack wrote: > > On Wed, 27 Sep 2000, Kris Kennaway wrote: > > > The issue is that most FreeBSD developers do not have a 3.5 machine > > available for testing - BSDi were supposed to be setting up one for us to > > use but it has not yet come through. This makes it very hard to test > > security fixes to the 3.5 branch so we don't break it by just committing > > blindly (in fact, I think we should officially drop security support for > > the 3.x branch because in practise it's not being supported for security > > fixes). I believe the problem is still not fixed in 3.5-STABLE at this > > time. > > One of the features of FreeBSD which I've found appealing in comparison to > the linuxes I've seen is the relative ease of upgrade and assurance that > your base system is secure after a simple buildworld/installworld. I > think that losing this feature for any version more than three months old > would be a serious blow to the confidence of FreeBSD users > everywhere. > > I can't fault the developers for having personal boxes running 4+, I > myself made the same move. However, I find it hard to believe that BSDi > can't find the resources to setup a single 3.x box. After all, 3.5.1 is > still being sold at freebsdmall.com, with the prominent "brought to you by > BSDi" logo at the top of the page. Surely the proceeds from the CD sales > will at least cover the cost of a tiny celeron/duron system. > > OTOH, if the lack of a box is really a metaphor for the security > team being overworked, perhaps perusing a solution similar to how OpenSSH > is developed is a good long-term strategy. After fully debugging and > fixing a vulnerability in the current-stable release, a group of > developers interested in maintaining older -stables can be given the same > information/exploits/etc so that they can modify patches to fix their > releases of interest. Perhaps pair or some other provider dependant on > 3.x could setup a box and organize this kind of group. > > Undoubtedly, I'm oversimplifying the issues here. However, the likelyhood > remains that if 3.x is abandoned, users may react by leaving FreeBSD > rather than upgrading to 4.x. Getting this situation resolved is in > everyone's best interests. > > Mike "Silby" Silbersack > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0009272341000.73602-100000>