From owner-freebsd-stable@FreeBSD.ORG Sun Mar 23 19:23:03 2014 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 71693F8E for ; Sun, 23 Mar 2014 19:23:03 +0000 (UTC) Received: from mail-qc0-f174.google.com (mail-qc0-f174.google.com [209.85.216.174]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 2B88DC3F for ; Sun, 23 Mar 2014 19:23:02 +0000 (UTC) Received: by mail-qc0-f174.google.com with SMTP id c9so4917515qcz.5 for ; Sun, 23 Mar 2014 12:22:56 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type :content-transfer-encoding; bh=pyR/I6clciHPzNRFDwb7DOz+V5Nbe9qY23VUj+l6LyQ=; b=YKGl0px3cXceWfiRfk74A/AUW7Wt7kCwWF4DJlbcPcAyPBVmYu1Yx0d51cl2xYxmSV lAMToSl5TB7wHpH3dYEh5vW179P2DtgmzQF33Lb+D5uLBTHgkrfIBuIGBgFH411y9c2o 0V7LzmZBDsPixWtUf1Hutlwl9Dsq8cqHHeQR1TAd7UorlT7jIzfAbr95yATklBVeCV2y kGPiW3NqcapD4ofJzrfo1FMT8vcWJRD60AywJ6Y19O1VMHsd3OJhzWLAbO2D+fM2DYt6 y3Mzsr1PRLXwfXOdhp3hw8EzDWfzhQfrKjH0ooYW6tpTE0mn0mvfnz8ZRLfY7LBU2kxL a/VQ== X-Gm-Message-State: ALoCoQlG+Yg0IJOYYe4juTOqpOaUl9GH4FdbEHVAADQVnq2ovLVF9P4kfYJNZdoaX6iJmbrCQHVf X-Received: by 10.140.19.79 with SMTP id 73mr66961036qgg.73.1395602576061; Sun, 23 Mar 2014 12:22:56 -0700 (PDT) Received: from [192.168.1.4] (pool-96-225-163-109.nrflva.fios.verizon.net. [96.225.163.109]) by mx.google.com with ESMTPSA id x5sm22027189qaj.9.2014.03.23.12.22.55 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 23 Mar 2014 12:22:55 -0700 (PDT) Message-ID: <532F3499.4040407@ohlste.in> Date: Sun, 23 Mar 2014 15:23:05 -0400 From: Jim Ohlstein User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Daniel Corbe Subject: Re: reason 23 why we've moved to linux References: <532EDDD0.80700@ohlste.in> <20140323153843.GA16935@lonesome.com> <532F1C48.7080003@ohlste.in> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Randy Bush , Mark Linimon , freebsd-stable stable X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Mar 2014 19:23:03 -0000 Hello, On 3/23/14, 2:41 PM, Daniel Corbe wrote: > Jim Ohlstein writes: > >> Hello Mark, >> >> On 3/23/14, 11:38 AM, Mark Linimon wrote: >>> On Sun, Mar 23, 2014 at 09:12:48AM -0400, Jim Ohlstein wrote: >>>> last I checked there were over 1500 active ports related PR's alone. >>> >>> Current count is 1851. See http://portsmon.freebsd.org/portsoverall.py . >>> >>> The whole list is at: >>> >>> http://portsmon.freebsd.org/portsprsbyexplanation.py?explanation=existing&sortby=prnumber&reverse . >>> >>> I did a little rough data reduction for curiosity about changes related >>> to "new infra": >>> >>> % grep -i clang foo | wc -l >>> 32 >>> % grep -i stage foo | wc -l >>> 37 >>> % grep -i staging foo | wc -l >>> 31 >>> % grep -i options foo | wc -l >>> 31 >>> % grep -i cflags foo | wc -l >>> 5 >>> % grep USE_ foo | wc -l >>> 22 >>> % grep WITH_ foo | wc -l >>> 19 >>> >>> as opposed to: >>> >>> % grep -i update foo | wc -l >>> 280 >>> >>> NB: I didn't check for overlaps. >>> >>> I was expected to see more "new infra" changes than 200. >>> >>> I will note that about a third of the PRs are from the last 3 months. >>> I no longer have an insight into how fast PRs are turned over but it >>> is quite brisk. >>> >>> mcl >>> >> >> Thanks for your response. I don't think that tells the whole story. >> >> How many PR's contain "broken" or "broken on 10" or "break" or "build" >> or similar? Another few I'm sure. Updates are important too. Many of >> us look forward to new features not to mention important security >> fixes. The only ones which may not be "urgent" or "important" are the >> new port proposals of which I counted 181. (I have a few in there and >> I am waiting patiently. I spent quite a few hours working on a port of >> MonetDB which sits there untaken. Maybe it sucks but I'd like >> feedback/help if needed. I have others for which I directly approached >> a committer whom I like and respect since he maintains similar ports, >> and was told he's too busy.) >> >> I'm not trying to make this more a bitch-fest than it is, but I'll >> point out the obvious that if a third of PR's are from the last three >> months, that means two thirds are older than three months! I don't >> find that to be "quite brisk". If the ratio were reversed it I might >> be inclined to agree. >> >> My point however, perhaps was missed. While I did squawk that the new >> pkg system is in a state of flux and therefore not appropriate for >> sole use on 10, I was separately mentioning the glacial pace at which >> ports related PR's get looked at, taken, and committed. There is no >> obvious triage system. It's simply if someone is "interested" they >> take the PR. If no one is interested, it sits. Imagine if a hospital >> emergency department functioned that way. A gunshot wound might sit in >> the waiting room because seeing a case of strep throat would be less >> work, or a laceration needing sutures might be more fun. And one case >> of strep throat might sit six hours while another waited only 30 >> minutes because it was up to the doctors and nurses to decide who they >> wanted to see and when, not based on any system of necessity, urgency >> or how long a problem has been waiting. >> >> In the current system, if there is a maintainer, s/he may not answer a >> PR for months, even if that person is a FreeBSD committer. If ports >> don't build, that *is* a big issue because pretty much everyone uses >> them. With two thirds of ports related PR's over three months old, >> updating your system is a crapshoot at best. > > How many of these PRs contain remotely exploitable security > vulnerabilities? Of which, how many of these ports do you use on a > regular basis? I don't know. There's no obvious way to tell. > > You like to talk about "triage" like the very existence of a bug in the > ports tree is a show stopper. To use your example, context actually > means a great deal in an emergency room. You would treat that gunshot > wound victim before you would treat the 1500 other patients in your > waiting room with self-inflicted bruises sprains and muscle pulls. Wow, something got the hair on your neck up. This is my point exactly. In an ER they would take the most serious first (and sometimes gunshots are through and through and not all that critical), and then the non-serious *in order*, or at least reasonably so, not by a willy nilly "I'll take this" system. That way the pretty girl with strep throat who's been waiting only 30 minutes doesn't get seen ahead of the smelly homeless old guy with leg ulcers who's been waiting six hours. Ports PR's are mostly non-urgent. Triage out the urgent and get them done. The rest should be handled in order, not by an "I'll take this" system. > > There's a finite amount of people available to respond to PRs. They do > a pretty good job of maintaining the ports that are most often used. I don't disagree that it's "pretty good". Again, context. I raised a series of concerns, and this was but one of them. Try building KDE-4 and tell me how that goes. I have a laptop that had a functional KDE-4. Sadly I tried a binary upgrade. Left X unusable. Then I tried compiling from source. Multiple ports failed. Finally backed up the laptop, reinstalled 10.0-RELEASE and used the included packages. That works but I'm left with outdated software. Not a huge issue, but certainly could be seen as a barrier to adoption. > > It's been almost a decade since I've had a FreeBSD box fall victim to a > remote exploit. By contrast, I constantly struggle to keep the > vendor-supplied linux boxes on my network from being broken into. Like I said earlier, FreeBSD is the worst system, except for everything else out there. I use GNU/linux only when I have to do so, and never by choice. > > And if you're really so worried about corner cases, perhaps a more > pro-active approach to security is required. After all, it really isn't > that much more work to maintain a software package from source than it > is to constantly scan and run binary upgrades. That's exactly what I do on network servers. I have my own repository and build with poudriere (poudriere *is* the shining star of the new packaging system, and I will shout that from the rooftops). When I see a security release that's based on a verified vulnerability, I don't wait for the maintainer. I edit the Makefile, run "make makesum" and upgrade. Nice chatting. Peace out. -- Jim Ohlstein "Never argue with a fool, onlookers may not be able to tell the difference." - Mark Twain