Date: Wed, 3 Jul 2002 10:23:37 -0700 From: "brian j. peterson" <rbw@myplace.org> To: Brett Glass <brett@lariat.org> Cc: freebsd-security@FreeBSD.ORG Subject: Re: security fixes Message-ID: <20020703172337.GD32703@malkavian.org> In-Reply-To: <4.3.2.7.2.20020702155758.00e9a2c0@localhost> References: <009201c2213a$dd3a4b00$edec910c@fbccarthage.com> <4.3.2.7.2.20020702155758.00e9a2c0@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
[freebsd-security subscribers: this is a response to what i consider to
be a horribly off-topic thread, so if you prefer to avoid such posts,
please read no further and accept my apologies for subjecting you to
even this much.]
On Tue, Jul 02, 2002 at 04:06:13PM -0600, Brett Glass wrote:
>
> With the flurry of changes going on (including the OpenSSH hole and libc
> hole in the base install and the Apache vulnerability in the ports and
> packages), it'd be nice to see an interim release. Who here would be
> in favor of that? Who, on the FreeBSD Core Team, might make the decision
who here would be in favor of that? very few, i would hope.
i know the last thing i want the FreeBSD team to do is spend all their
limited volunteered time (and limited donated resources) on creating a new
-RELEASE for every new security problem that is discovered. this would be
a gross waste. they already spend plenty of time fixing the security
problems as they crop up, so apply the patches they supply and recompile
what you need to and be happy they are so responsive and informative and
responsible.
> to do an interim release before 4.7 (scheduled for October)? (Yes, it
> takes work to put out a release, but do we really want everyone who wants
> a secure system to have to install from -STABLE snapshots, running the
> risk of picking a bad day, for four months?)
of course we don't want a person who wants a secure system to install from
a -STABLE snapshot, that's why it's not recommended. installs should be
done with a -RELEASE and then updated as per the requirements of the user.
if the user simply wants to keep up to date with the latest changes, he
should update to (and probably track) RELENG_x and subscribe himself to
the freebsd-stable mailing list. if the user desires security above all
else, he should update to RELENG_x_y and subscribe himself to the
freebsd-security-notifications mailing list.
Brett? i've watched you harp on the same damn point for months now, and
i know i'm not the only one getting tired of it. really, we get it. we
know you want a brand new installable build for every new security problem
that is discovered. i've watched you start new threads on this topic.
i've watched you steer completely unrelated threads to this topic. i've
watched you start new threads on very specific topics for very specific
security bugs only to take flying leaps of logic to conclude (in essence)
"clearly, we need constantly updating -RELEASE builds otherwise we're
being grossly unethical, mean, and also probably smelly." WE. GET. IT.
we also get that you're full of sound and fury (and whining and moaning),
and little else. you talk and talk and talk and talk, but you don't
actually try to DO anything. would a brand new installable build every
few days be nice? sure. is it feasible? not currently, and probably
not any time soon. and even if there were a new installable build every
few days, what then? users would still have to go back and update their
already installed systems. users would still have to keep informed about
updates to FreeBSD. you seem to think that the update mechanism isn't
good enough, and the FreeBSD developers would seem to agree; they are
working on binary upgrades (as opposed to patch/compile upgrades), but
these things don't happen overnight. and they don't happen any faster
with you complaining about things. and they certainly wouldn't happen
any faster if all of FreeBSD's resources were tied up in building new
-RELEASEs every twelve minutes. if you are too impatient to wait for
change to happen, MAKE it happen. get directly involved. contribute
something tangible. that's the beauty of this FreeBSD thing; if you
actually have something to contribute, you can actually make a real
difference.
-Brian
--
--===-----=======-----------=============-----------------===================
bjp aka rbw | and did you exchange a walk on part in the war
rbw@myplace.org | for a lead role in a cage?
===================-----------------=============-----------=======-----===--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020703172337.GD32703>