From owner-freebsd-arch@FreeBSD.ORG Fri Jun 6 17:48:45 2003 Return-Path: Delivered-To: freebsd-arch@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 043A237B401 for ; Fri, 6 Jun 2003 17:48:45 -0700 (PDT) Received: from sccrmhc02.attbi.com (sccrmhc02.attbi.com [204.127.202.62]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3BA6043FA3 for ; Fri, 6 Jun 2003 17:48:44 -0700 (PDT) (envelope-from DougB@freebsd.org) Received: from master.dougb.net (12-234-22-23.client.attbi.com[12.234.22.23]) by attbi.com (sccrmhc02) with SMTP id <2003060700484300200dn5mce>; Sat, 7 Jun 2003 00:48:43 +0000 Date: Fri, 6 Jun 2003 17:48:42 -0700 (PDT) From: Doug Barton To: freebsd-arch@FreeBSD.org In-Reply-To: <20030606161002.GC82589@dragon.nuxi.com> Message-ID: <20030606173304.T15459@znfgre.qbhto.arg> References: <20030605235254.W5414@znfgre.qbhto.arg> <20030606133644.GB49662@iconoplex.co.uk> <20030606161002.GC82589@dragon.nuxi.com> Organization: http://www.FreeBSD.org/ X-message-flag: Outlook -- Not just for spreading viruses anymore! MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: Bill Moran Subject: Re: Way forward with BIND 8 X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Jun 2003 00:48:45 -0000 On Fri, 6 Jun 2003, David O'Brien wrote: > On Fri, Jun 06, 2003 at 10:28:06AM -0400, Bill Moran wrote: > > The "at this time" part of his response says to me that the current "mixed" > > status of 5 as -CURRENT as well as -RELEASE and the current effort to get > > 5 -STABLE is what's preventing the import of BIND 9. Once 5 is branched > > to a 6-CURRENT, I'm sure the possibility will open up to import BIND 9 > > again. At that time ... > > The problem is that means that all throughout the 5-STABLE branch (I'd > figure 2 years), we have BIND8 in the tree I don't think that's a valid conclusion. I have in mind at some point in the future to import bind 9 into 6-current, and I don't think it would be totally unreasonable to mfc it to 5-stable, assuming that the bind 9 code stabilizes early enough in the 5-stable lifecycle to justify this. > If we're going to forever stick with anchient versions of stuff in > src/contrib; BIND 8 isn't ancient.... it's still being actively developed, and bug fixes for urgent security issues are released in a timely manner. It's not the newest, shiniest toy, but in this case I think it's worthwhile to stick with the older, more reliable model. > we might as well kick BIND out and require the use of a port. I've seriously considered that. The problem is, out of the 3 parts of BIND, the named stuff is the only one we can seriously live without. We have: 1. named, and related stuff like named-xfer 2. resolver libraries 3. userland stuff, like dig, host, nslookup (gag), etc. Now we can definitely do without 1 in the base, and I'd love to make the library stuff more modular, but every time we start to talk about that, the discussion degenerates into people mumbling with glassy expressions on their faces. As for 3, I don't think we can seriously ship FreeBSD without basic dns diagnostic tools and still call it Unix-like. As I mentioned in my previous post, there is also the issue of the output formats for the userland stuff having changed dramatically in bind 9, which is going to cause problems for people who've scripted stuff using those tools. > I use FreeBSD because I want fresh userland software (when it is > ready, and surely by X.2.2 it is) David, come on. You of all people should know better than to base technology decisions on version numbers. :) Here is the problem, in more detail for those who don't follow BIND development. 9.2.2 has actually reached a certain level of maturity and stability. The problem is that with 9.3, they are starting from scratch on large portions of the codebase, especially those related to dnssec. Thus, if we import 9.2.2 now, we're going to be faced with a decision down the road of whether or not to import 9.3.0, and all those shiny new bugs. Virtually all of the vulnerabilities discovered in the 8.x codebase over the last several years have been related to just this area... dnssec and tsig. Therefore, I'm very much of the opinion that we should put off considering import of bind 9 until the 9.3.x branch, and then wait a version or two for the code to stabilize. This should coincide nicely with our timing for 6-current. > that is easily installable and upgradeable via 'make world'. Otherwise > I'd use NetBSD. So put 'NO_BIND' and 'PORT_REPLACES_BASE_BIND9' in /etc/make.conf, and you're done. :) In fact, I'd like to encourage all those who are promoting this change to do just that... I'd be interested in feedback from people on this too. Doug -- This .signature sanitized for your protection