From owner-freebsd-security  Wed Jun 19 16: 4: 7 2002
Delivered-To: freebsd-security@freebsd.org
Received: from pike.epylon.com (mail03.epylon.com [63.93.9.99])
	by hub.freebsd.org (Postfix) with ESMTP id E570C37B417
	for <freebsd-security@freebsd.org>; Wed, 19 Jun 2002 16:03:58 -0700 (PDT)
Received: from [192.168.4.154] (sf-gw.epylon.com [63.93.9.98])
	by pike.epylon.com (Postfix) with ESMTP
	id 99B7F59218; Wed, 19 Jun 2002 16:03:58 -0700 (PDT)
User-Agent: Microsoft-Entourage/10.1.0.2006
Date: Wed, 19 Jun 2002 16:03:56 -0700
Subject: Re: Apache 1.3.26 port
From: Jason DiCioccio <jd@epylon.com>
To: Bill Moran <wmoran@potentialtech.com>, <jdarnold@buddydog.org>
Cc: <freebsd-security@FreeBSD.ORG>
Message-ID: <B9365BEC.2BBA%jd@epylon.com>
In-Reply-To: <3D110D17.50809@potentialtech.com>
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On 6/19/02 4:00 PM, "Bill Moran" <wmoran@potentialtech.com> wrote:

> Jonathan Arnold wrote:
>>> I would consider this semi-correct, at least from my experience.  The data
>>> directories ARE seperated out.  Notice that there is a data.default and a
>> 
>> I, in fact, just went through this and would beg to differ. It is not
>> very kind to delete a complete directory tree without any warning, either
>> when you install (something like "data.default *WILL BE REPLACED ON
>> UPGRADE*") or it should check on upgrade and not remove it if it is there.
>> I lost my entire web site with nary a peep, and luckily had the most
>> important
>> stuff on another computer.
> 
> This is outrageous.  Have you ever heard of backups?  I can't believe you're
> blaming loss of data on this.  As a system administrator you should be backing
> up your data on a regular schedule.  And you should ALWAY back up your data
> before ANY upgrade.  That's just proper procedure.

I think there are 2 issues here.  One is that he did not do a backup, that
is for sure.  However, there is an issue with the port as far as I am
concerned as well.  The port shouldn't be rm -rf'ing anything.  It should be
going by the plist if anything at all.  This way programs like pkg_deinstall
pkg_delete can do their jobs correctly.  For example, pkg_deinstall will not
remove a file if the checksum does not match the checksum that it had upon
installation.  This would have saved everyone a lot of trouble and is really
just the correct way to make a port or a package the last time I checked.
Granted pkg_delete, iirc, would have deleted some of the files, like
index.html because I don't believe it checks checksums before removing
files.  However the consequences would have been much less severe.

Doesn't this seem reasonable?

Cheers,
-JD-


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message