From owner-freebsd-security Thu Apr 18 15: 8:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from 66-162-33-178.gen.twtelecom.net (66-162-33-178.gen.twtelecom.net [66.162.33.178]) by hub.freebsd.org (Postfix) with ESMTP id 6782C37B404 for ; Thu, 18 Apr 2002 15:08:03 -0700 (PDT) Received: from [10.4.2.41] (helo=expertcity.com) by 66-162-33-178.gen.twtelecom.net with esmtp (Exim 3.22 #4) id 16yK4Q-0002Uv-00; Thu, 18 Apr 2002 15:08:02 -0700 Message-ID: <3CBF43E7.9080509@expertcity.com> Date: Thu, 18 Apr 2002 15:08:39 -0700 From: Steve Francis User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.4.1) Gecko/20020314 Netscape6/6.2.2 X-Accept-Language: en-us MIME-Version: 1.0 To: Brett Glass Cc: Jon Bergfeld , security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip References: <4.3.2.7.2.20020418120036.021ceb30@nospam.lariat.org> <4.3.2.7.2.20020418135706.02192c60@nospam.lariat.org> Content-Type: multipart/alternative; boundary="------------060803020103020202070702" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --------------060803020103020202070702 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit I'd just like to second this. I've managed unix systems for quite a few years, all solaris and AIX until recently when I started moving one production class of servers over to FreeBSD (performance is a lot better for this function.) My biggest confusion in moving to FreeBSD was the CVSup process, and how to get a currently patched stable image. (Not that it is that difficult, but it is not intuitive, and there was no page in the FreeBSD handbook saying "To ensure your system has the current patchset, and the most stable code as of this date, do this... If you dont trust the latest stable code, you can get patchlevel Y by doing this...") Also, it is, in my opinion, unfortunate that I can install a system from the CD"s without putting the source to everything on the box, but to go to the -releng current patch set, I do need to first get the sources for all on the system. My .02c Brett Glass wrote: >At 12:17 PM 4/18/2002, Jon Bergfeld wrote: > > >>look, the existing process seems to work fine for everyone else >> > >Acutally, it doesn't. And it really hurts evangelism and new >adopters of FreeBSD. > > > >As you can see from the above, FreeBSD doesn't have a simple answer >to a simple, reasonable question: "How can I *just install* FreeBSD >with all of the latest security fixes on a new machine, without >walking off of a conceptual cliff?" > >We need to address this. Not only would it help newcomers; it would >also help admins who just want to do a quick, no-hassle upgrade that >includes the latest security fixes. We should NOT say, "the heck with >them if they're not willing to learn all sorts of developer stuff on >the spot." That's pointless elitism. And we shouldn't make it >unreasonably hard for admins to update... or they might not do it. >And then, when their systems are broken into, FreeBSD's reputation >as a secure OS suffers. > >--Brett Glass > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > --------------060803020103020202070702 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit I'd just like to second this.

I've managed unix systems for quite a few years, all solaris and AIX until recently when I started moving one production class of servers over to FreeBSD (performance is a lot better for this function.)

My biggest confusion in moving to FreeBSD was the CVSup process, and how to get a currently patched stable image. (Not that it is that difficult, but it is not intuitive, and there was no page in the FreeBSD handbook saying "To ensure your system has the current patchset, and the most stable code as of this date, do this...  If you dont trust the latest stable code, you can get patchlevel Y by doing this...")

Also, it is, in my opinion, unfortunate that I can install a system from the CD"s without putting the source to everything on the box, but to go to the -releng current patch set, I do need to first get the sources for all on the system.

My .02c


Brett Glass wrote:
At 12:17 PM 4/18/2002, Jon Bergfeld wrote:
  
look, the existing process seems to work fine for everyone else

Acutally, it doesn't. And it really hurts evangelism and new
adopters of FreeBSD.

<snip>

As you can see from the above, FreeBSD doesn't have a simple answer
to a simple, reasonable question: "How can I *just install* FreeBSD
with all of the latest security fixes on a new machine, without
walking off of a conceptual cliff?"

We need to address this. Not only would it help newcomers; it would
also help admins who just want to do a quick, no-hassle upgrade that
includes the latest security fixes. We should NOT say, "the heck with 
them if they're not willing to learn all sorts of developer stuff on 
the spot." That's pointless elitism. And we shouldn't make it
unreasonably hard for admins to update... or they might not do it.
And then, when their systems are broken into, FreeBSD's reputation 
as a secure OS suffers.

--Brett Glass


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

--------------060803020103020202070702-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message