From owner-freebsd-security Mon Mar 18 16: 5:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from spitfire.velocet.net (spitfire.velocet.net [216.138.223.227]) by hub.freebsd.org (Postfix) with ESMTP id CCAB737B405 for ; Mon, 18 Mar 2002 16:05:17 -0800 (PST) Received: from nomad.tor.lets.net (H74.C220.tor.velocet.net [216.138.220.74]) by spitfire.velocet.net (Postfix) with SMTP id 8AAB5FB45C7 for ; Mon, 18 Mar 2002 19:05:16 -0500 (EST) Received: (qmail 66444 invoked by uid 1001); 19 Mar 2002 00:00:07 -0000 Date: Mon, 18 Mar 2002 19:00:06 -0500 From: Steve Shorter To: Christopher Schulte Cc: Brett Glass , security@FreeBSD.ORG Subject: Re: FreeBSD Ports Security Advisory FreeBSD-SA-02:18.zlib Message-ID: <20020318190006.A66422@nomad.lets.net> References: <4.3.2.7.2.20020318140507.00e58dc0@nospam.lariat.org> <4.3.2.7.2.20020318140507.00e58dc0@nospam.lariat.org> <20020318181917.B66347@nomad.lets.net> <5.1.0.14.0.20020318173139.0537c438@pop3s.schulte.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <5.1.0.14.0.20020318173139.0537c438@pop3s.schulte.org>; from schulte+freebsd@nospam.schulte.org on Mon, Mar 18, 2002 at 05:48:23PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Mar 18, 2002 at 05:48:23PM -0600, Christopher Schulte wrote: > At 06:19 PM 3/18/2002 -0500, Steve Shorter wrote: > > What is lacking inf FreeBSD is a 4.5-RELEASE with > >security fixes AND bug fixes. > > > > -STABLE includes "new material" which can be unstable. > >And -SECURITY only has "security fixes" but not bug fixes > >in general, since the last RELEASE. > > RELENG_4_X was (still is) open to critical bug fixes, but generally it's > used for critical *security* related bug fixes. The problem is (at least) > two folded as I see it: > > 2) How to draw a line in the sand and decide what will be committed to > RELENG_4_X as a fix, and what will require a tracking of -STABLE or the > next -RELEASE. The last thing I want is a second -STABLE branch with lots > of code updates, thus decreasing the overall stability. I agree mostly with your points, but is it not possible to 1) Eliminate new code, ie. as in -STABLE development, but have bug fixes for only existing code. 2) Eliminate "bugs in general" as the basis for a secure system. Utherwise your "secure" branch remains buggy and therefore less secure, since many security failures originate in buggy code. 3) A -SECURITY branch that contains buggy filesystem etc ... code is simply less desirable and less usable. For example I intended to stay with 4.3-SECURITY at one time but am continually forced to upgrade becuase of unfixed bugs in -SECURITY, though I don't want to. -steve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message