From owner-freebsd-security Fri Apr 19 4: 2:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from mirage.nlink.com.br (mirage.nlink.com.br [200.249.195.3]) by hub.freebsd.org (Postfix) with SMTP id D0FE837B41D for ; Fri, 19 Apr 2002 04:02:30 -0700 (PDT) Received: (qmail 35363 invoked from network); 19 Apr 2002 11:02:26 -0000 Received: from ear.nlink.com.br (HELO ear.com.br) (200.249.196.67) by mirage.nlink.com.br with SMTP; 19 Apr 2002 11:02:26 -0000 Received: from EARMDPA01/SpoolDir by ear.com.br (Mercury 1.48); 19 Apr 02 08:05:54 GMT-3 Received: from SpoolDir by EARMDPA01 (Mercury 1.48); 19 Apr 02 08:04:44 GMT-3 From: "Mario Lobo" Organization: American School of Recife - Brazil To: security@FreeBSD.ORG Date: Fri, 19 Apr 2002 08:04:01 -0300 MIME-Version: 1.0 Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip Reply-To: mlobo@ear.com.br Message-ID: <3CBFCF67.3119.3C78042@localhost> In-reply-to: <4.3.2.7.2.20020418135706.02192c60@nospam.lariat.org> References: <20020418181744.45846.qmail@web14201.mail.yahoo.com> X-mailer: Pegasus Mail for Windows (v4.01) Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: Quoted-printable Content-description: Mail message body Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I=B4ve been following this thread since it started and this is the DEFINIT= E exposition of the problem that Brett has been trying to show since the beginning. To anyone that that thinks there is not really an issue here, t= he last paragraph applies. Brett, you next step (if there is any next step) is to use apples and oran= ges!! Mario Lobo > Acutally, it doesn't. And it really hurts evangelism and new > adopters of FreeBSD. > > For example, here's a rough transcript of a conversation I recently > had with an admin who wanted to put up a FreeBSD server. > > Prospective user: FreeBSD sounds neat. How do I install it? > > Me: Well, it's really easy. You just put in the first install floppy, > boot the system, insert the second floppy when asked, and away you > go. You can get the release floppies at ftp://www.freebsd.org/. > > Prospective user: But I've heard that there were some security holes > and bugs discovered since then. How do I install a version with those > problems fixed? > > [What I'd like to say: Oh, that's simple. In the same directory > you'll see 4.5-RELEASE, 4.5-RELEASE-p1, 4.5-RELEASE-p2, et > cetera. Just get the floppies for the most recent one, and it > will have all the critical fixes. > > What I'd like to hear the prospective user say: This is great! > I'm glad that FreeBSD lives up to its reputation for being > easy to install.] > > What I have to say now: That's not so simple. First, you have > to install the last ful release, bugs and all. Then, you have > to use CVSup... > > Prospective user: What's that? > > Me: Well, it updates your source tree to include the latest fixes. > > Prospective user: Source tree? I'm not ready to play with the > source; I'm not familiar with the system yet, and I don't know > what this CVSup thing is. > > Me: Unfortunately, there's no other way to do it. You have to > get the latest source, using the tag RELENG_4_5, and then > do a "make world." > > Prospective user: What's a tag? How do I use it? And what's a > "make world?" And how do you find out the name "RELENG_4_5" > if you don't know it already? > > Me: Do you have about half an hour? I can teach you the basics > of CVSup.... > > Prospective user: Naah, never mind. This is more complicated than > I thought, and it's a lot more complicated than installing > Red Hat and installing the latest RPMs to fix the bugs. I just > wanted to download a version of the OS that's secure, but I > don't have time to learn about all this stuff you're talking > about right this minute. I guess I'll stick with {Win2K/Linux}. > > (End of dialogue) > > As you can see from the above, FreeBSD doesn't have a simple answer > to a simple, reasonable question: "How can I *just install* FreeBSD > with all of the latest security fixes on a new machine, without > walking off of a conceptual cliff?" > > We need to address this. Not only would it help newcomers; it would > also help admins who just want to do a quick, no-hassle upgrade that > includes the latest security fixes. We should NOT say, "the heck with > them if they're not willing to learn all sorts of developer stuff on > the spot." That's pointless elitism. And we shouldn't make it > unreasonably hard for admins to update... or they might not do it. > And then, when their systems are broken into, FreeBSD's reputation > as a secure OS suffers. > > --Brett Glass > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message