From owner-freebsd-stable@FreeBSD.ORG Wed Dec 4 02:33:18 2013 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 156F5144 for ; Wed, 4 Dec 2013 02:33:18 +0000 (UTC) Received: from udns.ultimateDNS.NET (ultimatedns.net [209.180.214.225]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id ADF7817B9 for ; Wed, 4 Dec 2013 02:33:17 +0000 (UTC) Received: from udns.ultimateDNS.NET (localhost [127.0.0.1]) by udns.ultimateDNS.NET (8.14.5/8.14.5) with ESMTP id rB42Xm4u062838; Tue, 3 Dec 2013 18:33:54 -0800 (PST) (envelope-from bsd-lists@1command.com) Received: (from www@localhost) by udns.ultimateDNS.NET (8.14.5/8.14.5/Submit) id rB42Xgri062834; Tue, 3 Dec 2013 18:33:42 -0800 (PST) (envelope-from bsd-lists@1command.com) Received: from udns.ultimatedns.net ([209.180.214.225]) (UDNSMS authenticated user chrish) by ultimatedns.net with HTTP; Tue, 3 Dec 2013 18:33:43 -0800 (PST) Message-ID: <5c09ba519b7e975a1fbd877a2c4d7b0e.authenticated@ultimatedns.net> In-Reply-To: References: <1386086749.9599.54995173.6CD35E54@webmail.messagingengine.com> <20131203.223612.74719903.sthaug@nethelp.no> <560e9b24248600b4125c8786712d0bf9.authenticated@ultimatedns.net> Date: Tue, 3 Dec 2013 18:33:43 -0800 (PST) Subject: Re: BIND chroot environment in 10-RELEASE...gone? From: "Chris H" To: "Kevin Oberman" User-Agent: UDNSMS/2.0.3 MIME-Version: 1.0 Content-Type: text/plain;charset=utf-8 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: freebsd-stable@freebsd.org X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Dec 2013 02:33:18 -0000 > On Tue, Dec 3, 2013 at 2:10 PM, Chris H wrote: > >> >> > It was a deliberate decision made by the maintainer. He said the >> chroot >> >> > code in the installation was too complicated and would be removed as a >> >> > part of the installation clean-up to get all BIND related files out of >> >> > /usr and /etc. I protested at the time as did someone else, but the >> >> > maintainer did not respond. I thnk this was a really, really bad >> >> > decision. >> >> > >> >> > I searched a bit for the thread on removing BIND leftovers, but have >> >> > failed to find it. >> >> > >> >> >> >> You're probably thinking about my November 17 posting: >> >> >> http://lists.freebsd.org/pipermail/freebsd-stable/2013-November/075895.html >> >> >> >> I'm glad to see others finally speaking up; I was beginning to think I >> was >> >> the only one who thought this was not a good idea. I'm a bit surprised >> >> that no one has responded yet. >> > >> > I agree with the protesters here. Removing chroot and symlinking logic >> > in the ports is a significant disservice to FreeBSD users, and will >> > make it harder to use BIND in a sensible way. A net disincentive to >> > use FreeBSD :-( >> >> I strongly disagree. The BIND is still available within FreeBSD for anyone >> who chooses to >> use/install it. Further, nothing stops anyone who wishes to continue using >> the CHROOT(8) >> script(s) that provided the BIND with a chroot. Any copy of a FreeBSD-8 >> (maybe even 9) >> install CD/DVD holds all the "magic" required. It is _easily_ acquired, >> and implemented. In >> fact, one could easily turn the whole affair into an automated routine. >> So. Bottom line; the BIND still remains with FreeBSD, nothing has been >> taken away. >> The CHROOT(8) scripts are still easily available, and can be implemented, >> at will, by >> anyone who cares to continue using it. >> What's the big deal? >> > > The big deal was that BIND, by default, just installed in a clean chroot > environment. It just worked. Now installing BIND from ports imply puts it > there with no added protection at all. Since it has long been recommended > that BIND either be run chrooted or jailed, this looks like a large step > backwards to me. The code was all there. I realize that moving the symlinks > around to do the job without polluting the base OS would take some doing, > but there is no reason it could not be done or that it should be terribly > difficult (said without looking at all of the details). > > I hate to see regressions and this is clearly a regression. Worse, it was a > deliberate one made with a very casual comment that it was just cleaning up > the script by eliminating the complicated chroot code. Look. I mean no offense to you, or anyone else. But as I'm running "stable". I subscribed to the @stable list. I remember quite a few comments about it. As memory serves; it was in regards to a security issue at one point. Then an issue with the affect of the size of the install. All in all, given that everyone's on svn now. It seems relatively simple to suck the bits from the old src, into anyone's currently maintained src tree, and be done with it. In fact, I can imagine an easy cobbling of a "custom" install CD/DVD. That once created, can serve for /quite/ some time. Anyway. I guess I'm just surprised that everyone seems suddenly so surprised about it. When I first heard of it. I cobbled up a BIND replacement that used a DNS source that isn't on FreeBSD's list. I simply replaced my choice of DNS server, for the BIND. Then presto, I had a completely different DNS server, that installed, and ran exactly as the BIND used to. Oh well. That's my experience with it. Chris out... > -- > R. Kevin Oberman, Network Engineer > E-mail: rkoberman@gmail.com >