From owner-freebsd-questions@FreeBSD.ORG Thu Mar 19 00:02:50 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C0D5FCEF for ; Thu, 19 Mar 2015 00:02:50 +0000 (UTC) Received: from mx02.qsc.de (mx02.qsc.de [213.148.130.14]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 525F218A for ; Thu, 19 Mar 2015 00:02:49 +0000 (UTC) Received: from r56.edvax.de (port-92-195-131-196.dynamic.qsc.de [92.195.131.196]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx02.qsc.de (Postfix) with ESMTPS id 626E82766E; Thu, 19 Mar 2015 01:02:46 +0100 (CET) Received: from r56.edvax.de (localhost [127.0.0.1]) by r56.edvax.de (8.14.5/8.14.5) with SMTP id t2J02j6e002096; Thu, 19 Mar 2015 01:02:45 +0100 (CET) (envelope-from freebsd@edvax.de) Date: Thu, 19 Mar 2015 01:02:45 +0100 From: Polytropon To: Chris Stankevitz Subject: Re: FreeBSD recommends not using base unbound for an authoritative server Message-Id: <20150319010245.17075fe5.freebsd@edvax.de> In-Reply-To: References: <5508B8EB.3050907@gmail.com> Reply-To: Polytropon Organization: EDVAX X-Mailer: Sylpheed 3.1.1 (GTK+ 2.24.5; i386-portbld-freebsd8.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: reebsd-questions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Mar 2015 00:02:50 -0000 On Wed, 18 Mar 2015 12:49:34 -0700, Chris Stankevitz wrote: > Got it, thank you. In my original post I described my excitement > about using the FreeBSD base packages for a number of reasons: Intermission: Note that the base system does not exactly consist of individual packages, as it does in various Linux distributions (where there is no real "base system" at all, just an arbitrary combination of packages, and even the kernel can be considered a package). The OS is being distributed as a "whole unit", and special quality control is being applied before -RELEASE-pX patches are made available. Things are tested much more before you can run freebsd-update and get the update. There is a difference to -STABLE and -HEAD which might get security updates faster, but with the risk (especially on -HEAD, or -CURRENT) of not even working. You listed some advantages that apply to the OS more than to ports: > - documented in handbook Exactly. :-) > - security problems are described in FreeBSD announcements Also correct. But you can use auditing tools (and "pkg audit") to get informed quickly when an installed port has security issues. > - easy updates with freebsd-update Also correct. > - infrequent updates What does "infrequent" mean? There is no "5 year plan" which defines when and how updates are being performed. It's true that the FreeBSD OS may need one day or two to test and supply a security patch for software which also exists in ports or is being ported from another OS, and it might be that such an update is available more quickly through ports, but those who release the original (!) patch, maybe for a Linux program, do not test anything in relation to FreeBSD. However, when you're updating your ports collection with "portsnap" or "svn update", the update is usually faster than it would be for an OS-related software. That is the reason why ports are encouraged when you need to fix security issues quickly. > I'm still left wondering why the FreeBSD handbook recommends favoring > ports over base when running an externally visible unbound server. THe port maintainer is quicker than the OS team because he has to deal with less things. :-) > However, from the response I got here it seems clear that the reason > is not "security" or "trust". It's just some other [yet unspecified] > reason. It's probably not trust (no more or less than the OS), but it is security, under the name of speed. It's also the point _where_ you apply a change: at the OS level or in the "additionally installed software" (which is the ports collection). Updating the OS usually involves a reboot, but updating a port often does not. So that might also be a reason when downtime is a major concern. Summary: There is no "the one real way". It depends on your priorities and choices. -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...