From owner-freebsd-stable@FreeBSD.ORG Wed Jul 31 11:15:32 2013 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id B73FC5BD for ; Wed, 31 Jul 2013 11:15:32 +0000 (UTC) (envelope-from daniel@digsys.bg) Received: from smtp-sofia.digsys.bg (smtp-sofia.digsys.bg [193.68.21.123]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 239C42BBE for ; Wed, 31 Jul 2013 11:15:31 +0000 (UTC) Received: from dcave.digsys.bg (dcave.digsys.bg [193.68.6.1]) (authenticated bits=0) by smtp-sofia.digsys.bg (8.14.6/8.14.6) with ESMTP id r6VBFNS0091819 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Wed, 31 Jul 2013 14:15:26 +0300 (EEST) (envelope-from daniel@digsys.bg) Message-ID: <51F8F1CB.20707@digsys.bg> Date: Wed, 31 Jul 2013 14:15:23 +0300 From: Daniel Kalchev User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/20130627 Thunderbird/17.0.7 MIME-Version: 1.0 To: freebsd-stable@freebsd.org Subject: Re: Bind in FreeBSD, security advisories References: <1375186900.23467.3223791.24CB348A@webmail.messagingengine.com> <51F7B5C7.6050008@digsys.bg> <51F7C07C.9060606@digsys.bg> <51F7E352.30300@digsys.bg> <51F8B0E8.8090608@ShaneWare.Biz> In-Reply-To: <51F8B0E8.8090608@ShaneWare.Biz> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Jul 2013 11:15:32 -0000 On 31.07.13 09:38, Shane Ambler wrote: > On 31/07/2013 01:31, Daniel Kalchev wrote: > >> But here is an idea: Remove BIND from HEAD overnight and see how many >> will complain ;-) If nobody complains, don't put it back in. > > Or change the default to off. If you want bind add WITH_BIND=yes to > src.conf That is just as good solution as removing BIND from base. It is also easier and faster to ass it as package/point, instead of recompiling the whole base system. > > It's hard to say FreeBSD is a safe and secure OS when part of the base > install is always being shown to have security flaws. New features need > to prove they are reliable before they are accepted into a release yet > we allow something that has a long proven history of being a source of > security concerns. Stop right here! There is plenty of other software that is in base and is just as "buggy" or even more than BIND. BIND, by the way benefits from the fact that it runs on many other platforms and that those bugs are typically found there, not on FreeBSD. In contrast to that the "perfect FreeBSD only code" has bugs discovered only when someone stumbles on them in FreeBSD. > > For something that needs to be constantly updated in between system > updates then ports is the place to install it from. You don't have to update BIND constantly, especially if you are not using it. If you are using it, you will want it updated, no matter what. > > I think it is less about whether bind is useful and needs to be in base > and more about should every user of FreeBSD be open to security issues > or should a user have the option to say "yes I want potentially insecure > software on my machine". The ports system allows messages that make it > obvious to the user about security concerns. You are reading too much into that messages. FreeBSD is not bug free, nor is any other piece of code. > > How many people setup and use a FreeBSD machine without adding something > from ports or packages? Anyone who can, does prefer to not install any ports. I have over a dozens servers (and a gazillion jailed instances) that don't have one single port installed. I find this feature of FreeBSD especially appealing and something we should keep. By the way, for those inclined to ask me for statistics: this is my personal experience. It works for me. If you don't do that, it tells me nothing I care about. We might have different reasons to make different choices. Daniel