Date: Fri, 19 Apr 2002 08:04:01 -0300 From: "Mario Lobo" <Mlobo@ear.com.br> To: security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip Message-ID: <3CBFCF67.3119.3C78042@localhost> In-Reply-To: <4.3.2.7.2.20020418135706.02192c60@nospam.lariat.org> References: <20020418181744.45846.qmail@web14201.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I´ve been following this thread since it started and this is the DEFINITE exposition of the problem that Brett has been trying to show since the beginning. To anyone that that thinks there is not really an issue here, the last paragraph applies. Brett, you next step (if there is any next step) is to use apples and oranges!! Mario Lobo > Acutally, it doesn't. And it really hurts evangelism and new > adopters of FreeBSD. > > For example, here's a rough transcript of a conversation I recently > had with an admin who wanted to put up a FreeBSD server. > > Prospective user: FreeBSD sounds neat. How do I install it? > > Me: Well, it's really easy. You just put in the first install floppy, > boot the system, insert the second floppy when asked, and away you > go. You can get the release floppies at ftp://www.freebsd.org/. > > Prospective user: But I've heard that there were some security holes > and bugs discovered since then. How do I install a version with those > problems fixed? > > [What I'd like to say: Oh, that's simple. In the same directory > you'll see 4.5-RELEASE, 4.5-RELEASE-p1, 4.5-RELEASE-p2, et > cetera. Just get the floppies for the most recent one, and it > will have all the critical fixes. > > What I'd like to hear the prospective user say: This is great! > I'm glad that FreeBSD lives up to its reputation for being > easy to install.] > > What I have to say now: That's not so simple. First, you have > to install the last ful release, bugs and all. Then, you have > to use CVSup... > > Prospective user: What's that? > > Me: Well, it updates your source tree to include the latest fixes. > > Prospective user: Source tree? I'm not ready to play with the > source; I'm not familiar with the system yet, and I don't know > what this CVSup thing is. > > Me: Unfortunately, there's no other way to do it. You have to > get the latest source, using the tag RELENG_4_5, and then > do a "make world." > > Prospective user: What's a tag? How do I use it? And what's a > "make world?" And how do you find out the name "RELENG_4_5" > if you don't know it already? > > Me: Do you have about half an hour? I can teach you the basics > of CVSup.... > > Prospective user: Naah, never mind. This is more complicated than > I thought, and it's a lot more complicated than installing > Red Hat and installing the latest RPMs to fix the bugs. I just > wanted to download a version of the OS that's secure, but I > don't have time to learn about all this stuff you're talking > about right this minute. I guess I'll stick with {Win2K/Linux}. > > (End of dialogue) > > As you can see from the above, FreeBSD doesn't have a simple answer > to a simple, reasonable question: "How can I *just install* FreeBSD > with all of the latest security fixes on a new machine, without > walking off of a conceptual cliff?" > > We need to address this. Not only would it help newcomers; it would > also help admins who just want to do a quick, no-hassle upgrade that > includes the latest security fixes. We should NOT say, "the heck with > them if they're not willing to learn all sorts of developer stuff on > the spot." That's pointless elitism. And we shouldn't make it > unreasonably hard for admins to update... or they might not do it. > And then, when their systems are broken into, FreeBSD's reputation > as a secure OS suffers. > > --Brett Glass > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3CBFCF67.3119.3C78042>