From owner-freebsd-security  Mon Mar 18 16: 5:22 2002
Delivered-To: freebsd-security@freebsd.org
Received: from spitfire.velocet.net (spitfire.velocet.net [216.138.223.227])
	by hub.freebsd.org (Postfix) with ESMTP id CCAB737B405
	for <security@FreeBSD.ORG>; Mon, 18 Mar 2002 16:05:17 -0800 (PST)
Received: from nomad.tor.lets.net (H74.C220.tor.velocet.net [216.138.220.74])
	by spitfire.velocet.net (Postfix) with SMTP id 8AAB5FB45C7
	for <security@FreeBSD.ORG>; Mon, 18 Mar 2002 19:05:16 -0500 (EST)
Received: (qmail 66444 invoked by uid 1001); 19 Mar 2002 00:00:07 -0000
Date: Mon, 18 Mar 2002 19:00:06 -0500
From: Steve Shorter <steve@nomad.lets.net>
To: Christopher Schulte <schulte+freebsd@nospam.schulte.org>
Cc: Brett Glass <brett@lariat.org>, security@FreeBSD.ORG
Subject: Re: FreeBSD Ports Security Advisory FreeBSD-SA-02:18.zlib
Message-ID: <20020318190006.A66422@nomad.lets.net>
References: <4.3.2.7.2.20020318140507.00e58dc0@nospam.lariat.org> <4.3.2.7.2.20020318140507.00e58dc0@nospam.lariat.org> <20020318181917.B66347@nomad.lets.net> <5.1.0.14.0.20020318173139.0537c438@pop3s.schulte.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <5.1.0.14.0.20020318173139.0537c438@pop3s.schulte.org>; from schulte+freebsd@nospam.schulte.org on Mon, Mar 18, 2002 at 05:48:23PM -0600
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Mon, Mar 18, 2002 at 05:48:23PM -0600, Christopher Schulte wrote:
> At 06:19 PM 3/18/2002 -0500, Steve Shorter wrote:
> >         What is lacking inf FreeBSD is a 4.5-RELEASE with
> >security fixes AND bug fixes.
> >
> >         -STABLE includes "new material" which can be unstable.
> >And -SECURITY only has "security fixes" but not bug fixes
> >in general, since the last RELEASE.
> 
> RELENG_4_X was (still is) open to critical bug fixes, but generally it's 
> used for critical *security* related bug fixes.  The problem is (at least) 
> two folded as I see it:
> 
> 2) How to draw a line in the sand and decide what will be committed to 
> RELENG_4_X as a fix, and what will require a tracking of -STABLE or the 
> next -RELEASE.  The last thing I want is a second -STABLE branch with lots 
> of code updates, thus decreasing the overall stability.

	I agree mostly with your points, but is it not possible to

	1) Eliminate new code, ie. as in -STABLE development, but
           have bug fixes for only existing code.

	2) Eliminate "bugs in general" as the basis for a
           secure system. Utherwise your "secure" branch remains buggy
           and therefore less secure, since many security failures 
           originate in buggy code.

	3) A -SECURITY branch that contains buggy filesystem etc ...
           code is simply less desirable and less usable. For example
           I intended to stay with 4.3-SECURITY	 at one time but
           am continually forced to upgrade becuase of unfixed bugs
           in -SECURITY, though I don't want to.


	-steve

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message