Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 11 Apr 2001 11:13:35 -0700
From:      Jason DiCioccio <Jason.DiCioccio@Epylon.com>
To:        'Scott Johnson' <sjohn@airlinksys.com>, freebsd-security@freebsd.org
Subject:   RE: Security Announcements
Message-ID:  <657B20E93E93D4118F9700D0B73CE3EA0166D77F@goofy.epylon.lan>

next in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Scott,

  While I don't take your approach to maintaining my machines (I
actually use -STABLE), I completely agree with you.  I have
encountered problems in -STABLE due to the given period of time that
I simply cvsupped to it (getting -STABLE on a 'bad day').. Mind you,
- -CURRENT has many more bad days than -STABLE does, but -STABLE
definitely has them.  And if every single machine on your network has
to be up at all times, I would agree with your patching -RELEASE
method.  I'm sure many others take this path as well, and it seems a
logical one.  It's nice to have a choice.

Perhaps patches to -RELEASE wouldn't come out as quickly as they
would be commited to -STABLE (obviously) but I still think they
should be released within a reasonable time-frame.  For instance with
NTP, I've seen about every other vendor release advisories/patches
for xntpd except for us.

Cheers,
- -JD-


- -------
Jason DiCioccio
Evil Genius
Unix BOFH

mailto:jasond@epylon.com

- ----Original Message-----
From: Scott Johnson [mailto:sjohn@airlinksys.com]
Sent: Wednesday, April 11, 2001 10:52 AM
To: freebsd-security@freebsd.org
Subject: Re: Security Announcements


There is a difference between security fixes and a 'more low-key and
conservative set of changes intended for our next mainstream
release'. I
maintain a single source tree for all of my machines. That source
tree is
4.2-RELEASE + security patches. Things break in -STABLE despite the
care
taken in merging from -CURRENT; if I don't need features found only
in
- -STABLE, my preference is to trust more the long testing period of a
- -RELEASE. While I could test stable on a spare box, that would be
time-consuming and error-prone, since that box would have to emulate
the
designated tasks of all my machines. On the other hand, maintaining a
- -STABLE source tree in addition to -RELEASE and selectively
installing
certain things like bind and ntp when the need arises may have
problems
because the -STABLE software is out of sync with the rest of the
system.
This also creates problems when building world with the -RELEASE
tree,
since some software should come from -STABLE. And when it comes down
to
it, I'd rather build just a kernel, or just a userspace program, and
only
when I have to, then rebuild everything on a semi-regular basis.

I just want to add my voice as to how I use FreeBSD. Simply saying
'use
- -STABLE' to those of us running -RELEASE on production systems isn't
appropriate, since I believe we have valid reasons for running
- -RELEASE on
our systems. These security issues are not so frequent that providing
patches for -RELEASE should be too burdensome. In fact, if -STABLE
was
fixed, the fix is already available and could be applied to -RELEASE
with
little or no modification.  I've been pleased, actually, with how
patches
have been made available for -RELEASE until only recently, when both
the
bind and ntp vulnerabilities went by without patches. I thought, up
till
this discussion, that it was assumed that many run a -RELEASE, and
that
patches were supplied for that reason. I for one (and judging by the
posts
to this thread I'm not alone) use FreeBSD this way, and I ask that it
be
considered important to make security patches available for the
latest
- -RELEASE.


Quoth Roberto Nunnari on Wed, Apr 11, 2001 at 02:00:26PM +0200:
> stable is not pre-beta.
> http://www.freebsd.org/handbook/current-stable.html
> 
> ...cut and paste from the above:
> 
> 19.2.2. Staying Stable with FreeBSD
> 
> If you are using FreeBSD in a production environment and want to
> make  sure you have the latest fixes from the -CURRENT branch, you
> want to be  running -STABLE. This is the tree that -RELEASEs are
> branched from when  we are putting together a new release. For
> example, if you have a copy  of 3.4-RELEASE, that is really just a
> ``snapshot'' from the -STABLE  branch that we put on CDROM. In
> order to get any changes merged into  -STABLE after the -RELEASE,
> you need to ``track'' the -STABLE branch. 19.2.2.1. What is
> FreeBSD-STABLE?
> 
> FreeBSD-STABLE is our development branch for a more low-key and 
> conservative set of changes intended for our next mainstream
> release.  Changes of an experimental or untested nature do not go
> into this branch  (see FreeBSD-CURRENT).

- -- 
                                 Scott Johnson
                          System/Network Administrator
                                Airlink Systems

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>;

iQA/AwUBOtSfeFCmU62pemyaEQIR6wCdHs0sQHk9embF6L/OJCvNcT+ROEcAnjzO
VHCIoZYuo/e9tAqasm1wB2bp
=qwCa
-----END PGP SIGNATURE-----

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?657B20E93E93D4118F9700D0B73CE3EA0166D77F>