From owner-freebsd-security Tue Jul 2 16:26: 6 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B9B6C37B400 for ; Tue, 2 Jul 2002 16:26:02 -0700 (PDT) Received: from topperwein.dyndns.org (acs-24-154-28-203.zoominternet.net [24.154.28.203]) by mx1.FreeBSD.org (Postfix) with ESMTP id AF6E243E09 for ; Tue, 2 Jul 2002 16:26:01 -0700 (PDT) (envelope-from behanna@zbzoom.net) Received: from topperwein (topperwein [192.168.168.10]) by topperwein.dyndns.org (8.12.5/8.12.5) with ESMTP id g62NQ1tl014980 for ; Tue, 2 Jul 2002 19:26:01 -0400 (EDT) (envelope-from behanna@zbzoom.net) Date: Tue, 2 Jul 2002 19:25:56 -0400 (EDT) From: Chris BeHanna Reply-To: Chris BeHanna To: FreeBSD Security Subject: Re: security fixes In-Reply-To: <20020702230034.1316.qmail@web10104.mail.yahoo.com> Message-ID: <20020702191848.O13868-100000@topperwein.dyndns.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 2 Jul 2002, twig les wrote: > Absolute agreement. OK, then. Ante up, say, $7000 apiece to get two people working on this full-time, and you might get 4.6.1 in six weeks.[1] As an alternative, for your customers, you might build a custom release from a known working snapshot of -STABLE that you've tested the bejeezus out of. > --- Brett Glass wrote: > > At 11:22 AM 7/2/2002, Wincent Colaiuta wrote: > > > > >So on production systems track RELENG_4_6 now, and > > when that stops being updated, start tracking > > RELENG_4_7, and so on.... > > > > With the flurry of changes going on (including the OpenSSH hole > > and libc hole in the base install and the Apache vulnerability in > > the ports and packages), it'd be nice to see an interim release. > > Who here would be in favor of that? Who, on the FreeBSD Core Team, > > might make the decision to do an interim release before 4.7 > > (scheduled for October)? (Yes, it takes work to put out a release, > > but do we really want everyone who wants a secure system to have > > to install from -STABLE snapshots, running the risk of picking a > > bad day, for four months?) -- Chris BeHanna http://www.pennasoft.com Principal Consultant PennaSoft Corporation chris@pennasoft.com [1] I am neither a committer, nor a member of core, nor a member of the RE team.[2] I can't make this commitment on their behalf. I wrote this to illustrate to you what kind of effort is involved, and what kind of time frame is involved.[3][4] [2] I was the RE at my last job. I know firsthand that it ain't just turning a crank on a CVS snapshot to get a release. [3] Unless the FreeBSD Project is willing to postpone or drop 5.0-DP2, which I highly doubt, or to postpone or drop 5.0-RELEASE, which I highly doubt, or to postpone or drop 4.7-RELEASE, which I highly doubt. There's too much going on in this *volunteer* project to cater to everyone's whim, desire, or hobby horse. [4] The effort to put some of these changes into RELENG_4_6 is somewhat less, but still nontrivial and, again, it's not my call. It's far more likely to happen if you offer to do some or all of the work. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message