Date: Tue, 18 Jun 2002 03:49:28 -0600 From: Brett Glass <brett@lariat.org> To: kgasso@blort.org Cc: security@FreeBSD.ORG Subject: Re: CDs with patched Apache? Message-ID: <4.3.2.7.2.20020618033604.00d42aa0@localhost> In-Reply-To: <20020617233108.A84129@blort.org> References: <200206180539.XAA26264@lariat.org> <200206180539.XAA26264@lariat.org>
next in thread | previous in thread | raw e-mail | index | archive | help
At 12:31 AM 6/18/2002, Kameron Gasso wrote: >Wasn't the fact that -RELEASE branches don't get updated with new packages already discussed extensively in the not-so-distant past? Some folks yelled at me for pointing it out, but alas there was no real discussion of how to solve the problem. >Although it wouldn't be very glamorous (and I certainly wouldn't reccommend it), the port installed with the latest -RELEASE could be "broken" so it wouldn't download and install without someone forcing it. Still, this wouldn't really encourage them to upgrade their ports tree - it'd more than likely just cause much swearing and force people to work around the problem. It'd still be a warning. Hmmm.... Maybe the warning could be made part of pkg_add, and/or something that pkg_add executed. It would simply say, "proceed at your own risk!" But if you were installing from CD, you wouldn't be warned. Unless.... Unless pkg_add phoned home to check on the package. Which is possible if the machine can be connected to the Net. >Long story short, no OS can keep an inexperienced admin from opening it up to security vulnerabilities... > >This is just another case of bad timing. Not a lot that can be done. Shouldn't we just follow the same precedence set from prior security issues which were installable from the base system (BIND, OpenSSH, etc.)? I'd still like to come up with something better. But right now, I have a very practical reason for asking for a "clean" CD set. What I'm looking for is a CD set that I can hand out for evangelistic purposes -- something that a new user can use to set up a trouble-free Web server. Obviously, if it has a vulnerable version of Apache (it'll probably be targeted by a worm within a week), it won't be trouble-free! Ditto if the ATAPI CD-ROM problem isn't fixed. (Matt's right; this is important.) One thing about open source -- as Murray Stokely has pointed out -- is that it's OK to miss a ship date to get things working right. If I were a CD manufacturer, I'd strongly consider waiting until I could ship discs with the two problems mentioned above fixed. The purpose of my query was simply to find out if one of the vendors was (a) holding off on shipping; or (b) planning to revise its CD set once the problems were fixed. (I could imagine doing a smaller run in anticipation of this.) Such a vendor would get bragging rights; it would be able to say it had a less buggy and more secure snapshot. So, I'm hoping that one will. --Brett P.S. -- Like your domain name. After Don Martin, I assume? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.3.2.7.2.20020618033604.00d42aa0>