From owner-freebsd-security Thu Apr 18 20: 6:51 2002 Delivered-To: freebsd-security@freebsd.org Received: from bodb.mc.mpls.visi.com (bodb.mc.mpls.visi.com [208.42.156.104]) by hub.freebsd.org (Postfix) with ESMTP id B13A437B416 for ; Thu, 18 Apr 2002 20:06:43 -0700 (PDT) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by bodb.mc.mpls.visi.com (Postfix) with ESMTP id DB67F4E9B; Thu, 18 Apr 2002 22:06:42 -0500 (CDT) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.6/8.11.6) id g3J36gi01720; Thu, 18 Apr 2002 22:06:42 -0500 (CDT) (envelope-from hawkeyd) Date: Thu, 18 Apr 2002 22:06:42 -0500 From: D J Hawkey Jr To: Brett Glass Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip Message-ID: <20020418220642.A1647@sheol.localdomain> Reply-To: hawkeyd@visi.com References: <4.3.2.7.2.20020418200936.023fedd0@nospam.lariat.org> <4.3.2.7.2.20020418141843.021d1540_nospam.lariat.org@ns.sol.net> <20020418182218.GA35672_peitho.fxp.org@ns.sol.net> <4.3.2.7.2.20020418141843.021d1540_nospam.lariat.org@ns.sol.net> <200204190149.g3J1nOb01496@sheol.localdomain> <4.3.2.7.2.20020418200936.023fedd0@nospam.lariat.org> <20020418212445.A1577@sheol.localdomain> <4.3.2.7.2.20020418203122.0218e970@nospam.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <4.3.2.7.2.20020418203122.0218e970@nospam.lariat.org>; from brett@lariat.org on Thu, Apr 18, 2002 at 08:33:12PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This'll be my last post in this thread, as Jason has a valid point in his reply; this discussion doesn't really belong in this list. On Apr 18, at 08:33 PM, Brett Glass wrote: > > At 08:24 PM 4/18/2002, D J Hawkey Jr wrote: > > >> You obviously misunderstand what we've been referring to when we use > >> the word "snapshot." A "snapshot," in this context, is a build of FreeBSD > >> from a particular day's sources. > > > >No, I think I do understand. Would not that "snapshot" include the kernel? > >If so, what would you like that kernel to be configured as when the snapshot > >is taken? > > GENERIC. Wouldn't cut it for some of the boxes I am or have been responsible for. It'd boot and run, mostly, but it wouldn't "communicate". > >Would you really want an OS built for the lowest common denominator as the > >one you install on your production servers, much less your desktop? > > Sure, to start with. And then I customize it. If my kernel config files are > preserved through the update, I can do that very quickly. Excepting servers that can't connect to a "master box" via NFS (as has been detailed), you can't possibly build and install a kernel inside of the ten to twenty (max?) minutes of downtime to install an already-built kernel from that NFS server "master". Even were it so, you'd end up with a tuned kernel running against it's lowest common denominator OS; that's acceptable to you? Not for me, nope. In my mind, it boils down to this: If you value FreeBSD enough to employ it, is it such a stretch to have a "master" on the network to accomodate FreeBSD's update/upgrade methodologies? My "master" just happens to be my workstation; no additional costs incurred. In closing, it seems to me you've got to consider the entire population more, and your own conveniences a little less. Completely unfashionable since, oh, the middle 80's or so, but it's the coda to much, isn't it? > --Brett Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message