Date: Sun, 29 Jul 2001 09:40:43 From: "unknown source" <callihn@hotmail.com> To: freebsd-questions@freebsd.org Subject: RE: Would it be so hard? Message-ID: <F199LOcwFmUM11n3HRM000056a1@hotmail.com>
next in thread | raw e-mail | index | archive | help
>From: "Ted Mittelstaedt" <tedm@toybox.placo.com> >To: "unknown source" <callihn@hotmail.com>, <freebsd-questions@FreeBSD.ORG> >Subject: RE: Would it be so hard? >Date: Sun, 29 Jul 2001 01:45:14 -0700 >MIME-Version: 1.0 >Received: from [206.29.169.15] by hotmail.com (3.2) with ESMTP id >MHotMailBD2D181C00CA40043162CE1DA90F089A0; Sun, 29 Jul 2001 01:45:16 -0700 >Received: from tedm.placo.com (nat-rtr.freebsd-corp-net-guide.com >[206.29.168.154])by mail.freebsd-corp-net-guide.com (8.11.1/8.11.1) with >SMTP id f6T8jF859520;Sun, 29 Jul 2001 01:45:15 -0700 (PDT)(envelope-from >tedm@toybox.placo.com) >From tedm@toybox.placo.com Sun, 29 Jul 2001 01:46:46 -0700 >Message-ID: <005d01c1180a$c940eee0$1401a8c0@tedm.placo.com> >X-Priority: 3 (Normal) >X-MSMail-Priority: Normal >X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 >In-Reply-To: <F231luLCTaogxLDp7mv00007431@hotmail.com> >X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0 >Importance: Normal > > >-----Original Message----- > >From: owner-freebsd-questions@FreeBSD.ORG > >[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of unknown source > >Sent: Sunday, July 29, 2001 1:09 AM > >To: freebsd-questions@FreeBSD.ORG > >Subject: Would it be so hard? > > > > > >Would it be so hard to have patched iso images of freebsd kinda like a >mini > >release I guess. Im sure you want support? > >Yes it would. While the telnetd vulnerability is only one file - telnetd - >and thus it would not be that difficult to remake the ISO, the Project >already did a binary-only patch to 4.3-RELEASE. Many other security issues >are more serious and involve more files - take a look at BIND in >4.2-RELEASE >for example. Regenerating an ISO is a lot of work being diverted from >effort >on the next release. Furthermore it just provokes people to download the >entire ISO instead of just the patch, which wastes an enormous amount of >bandwidth. > >For this hole, patching 4.3-RELEASE is a binary-only operation that >doesen't >even run the compiler or require the source to be installed. Patching any >4.X >that's earlier than that only requires that sysinstall be run and the >/usr/libexec sources to be installed, followed by the source patch followed >by >a 'make install' This is not too hard to ask anybody to do. > >Consider there's only a finite amount of bandwidth available to the FTP >servers. Distributing this as a patch that only takes a few seconds to >download maximizes the number of FreeBSD users that can get their system >patched in a timely manner. This tremendously increases the rate at which >vulnerable systems are taken offline, which discourages wannabies from >attempting to attack large numbers of FreeBSD systems, which decreases the >risk to everybody. > > Well I have tried that I > >purchased the 4.2 powerpack and then purchased 4.3 for what? By the time >I > >got them I has to patch the kernel now that reminds me of M$ you buy and >buy > >and buy but you never have the latest and its never secure. > >It really is a pain to have to patch the kernel three or four times after >an > >install from the iso > >Wake up, this is going to be the norm for ALL operating systems. There's a >veritable army of crackers out there and a much larger number of wannabie >crackers who are all looking for a little recognition by breaking into >systems. They are using more and more sophisticated tools to find more and >more holes and those holes are going to be discovered at a faster and >faster >rate. It's simply impractical to base your release schedule around when >the next bed-wetting cracker wannabie plans to distribute their crack >script >that they found. > > >not to mention all the ports that you will have to fix > >That is NOT the FreeBSD Project's responsibility, that's the port >maintainers >responsibility. And even if the Project was making a new ISO every time >there >was a security hole, there's no guarentee that the port maintainers of >every >port in BSD would agree to release updated ports for all the security >releases. > > >the latest I could find on the -stable or releng branches is 20010721 >which > >would need one core and one port patched to be secure if I could figure >out > >how to make an iso out of it I have seen a japan ftp server that has >weekly > >iso's but I dont speak that language is there just no interest in being >able > >to do a fresh install from a bootable CD that is stable and secure? in >the > >Not if it requires sacrificing all the other users to do it. > > >Ted Mittelstaedt >tedm@toybox.placo.com >Author of: The FreeBSD Corporate Networker's >Guide >Book website: >http://www.freebsd-corp-net-guide.com > Well you have some good points here ted I am not as unreasonable as you seem to take me =o) Please bear in mind that SA-01:42 the signal handling issue does involve recompiling the kernel I really was not commeting on the ports just the core and like I said it is done on the japan ftp server every time -stable is updated not my langauge though ;-) and I really am not sure that it would cause most to download the iso only those that are doing alot of installs and would like to save some time while doing so or new users which have not installed yet. And I would have to stongly disagree with the other OS examples would me wintendos, engarde linux, slackware linux and openbsd these operating systems as an example have less advisories in a year than is being found in freebsd per month is it just that everyone is picking on freebsd? Since the core advisories stated that one way to fix the problem would be to update to a -stable branch after there dates I have to ask again where did they go? I thought this was open source? Anyway not that it will sink in but freebsd is said to be a stable and good for servers will run for years without maintenance so the box says but it seems something has to be patched every week so how it that so? So being a fairly reasonable customer <--"point" how can I find some sort of middle ground here. Although I may seem unreasonable to some users I wonder how many paying customers not on the freebsd team think that this is all so unreasonable and that some effort should not be made to bridge the security gap. Or are you telling me I should read The FreeBSD Corporate Networker's Guide? _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F199LOcwFmUM11n3HRM000056a1>