From owner-freebsd-security@FreeBSD.ORG Mon May 22 15:46:56 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4BCE816B66E; Mon, 22 May 2006 15:46:56 +0000 (UTC) (envelope-from gorebofh@comcast.net) Received: from sccrmhc14.comcast.net (sccrmhc14.comcast.net [204.127.200.84]) by mx1.FreeBSD.org (Postfix) with ESMTP id CDC8F43D68; Mon, 22 May 2006 15:46:54 +0000 (GMT) (envelope-from gorebofh@comcast.net) Received: from hp.org (c-69-246-87-201.hsd1.mi.comcast.net[69.246.87.201]) by comcast.net (sccrmhc14) with ESMTP id <2006052215465301400kttjme>; Mon, 22 May 2006 15:46:53 +0000 Received: by HP.org (Postfix, from userid 1000) id 44B26507E8; Mon, 22 May 2006 11:49:34 -0400 (EDT) Date: Mon, 22 May 2006 11:49:34 -0400 From: Allen To: freebsd-security@freebsd.org, FreeBSD Stable Message-ID: <20060522154934.GB16937@HP.hsd1.mi.comcast.net> Mail-Followup-To: freebsd-security@freebsd.org, FreeBSD Stable References: <4471361B.5060208@freebsd.org> <2DB25B04-BCE6-41D2-9D95-03C58A493E2C@ece.cmu.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <2DB25B04-BCE6-41D2-9D95-03C58A493E2C@ece.cmu.edu> User-Agent: Mutt/1.5.9i Cc: Subject: Re: FreeBSD Security Survey X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 May 2006 15:47:04 -0000 On Mon, May 22, 2006 at 12:06:54AM -0400, Brandon S. Allbery KF8NH wrote: > > On May 21, 2006, at 11:55 , Colin Percival wrote: > > >The Security Team has been concerned for some time by anecdotal > >reports > >concerning the number of FreeBSD systems which are not being promptly > >updated or are running FreeBSD releases which have passed their End of > >Life dates and are no longer supported. In order to better understand > >which FreeBSD versions are in use, how people are (or aren't) keeping > >them updated, and why it seems so many systems are not being > >updated, I > > I have a 6-STABLE box that is not going to be updated to 6.1 any time > soon, because my personal mail will have to be offline while I do so > --- including nuking and rebuilding all ports because the ports tree > has been thrashed by multiple low level updates that affect a large > percentage of the tree --- and it's only a 600MHz box so it will be > offline for most of a week during that upgrade. And I'm uncertain > how downgrading it to 6.0-RELEASE+security patches will complicate > things (downgrading via cvsup/buildworld is not a supported option, > last I checked). Granted, I probably should have stuck with 6.0-R > --- but then, experience has shown me that the more reliable option > is to wait a week or two after release and then install -STABLE. > > In short: keeping FreeBSD up to date tends to be painful at best. I'd have to agree, though it's much better than some systems, it's still something I'd like to see some improvement on. For example, I understand the reasons for how Free BSD does things, I do. However, one thing I'd love to see is a much better tool for handling updates and upgrades. I may get reamed for what I'm about to say, but I'm willing to deal with whatever happens with this: I'd like to see Free BSD include an approach to updates in the way Slackware Linux does... Now before I get 10,000 emails saying I'm stupid or something to that effect let me explain: I've been using supporting and telling about Free BSD for many years. When I got my first computer, I had installed Free BSD not long after and that was coming from Windows 95 / 98 SE. One thing that always made me mad was when a new security flaw came out. On my Slackware machines, it was no problem at all, I'd use wget to grab the patch .tgz file, then do this: upgradepkg *.tgz I'd go get coffee or somethign and come back to all patches being installed. I know about portupgrade, and it's a good start, but I think there would be huge benifit from a tool that allows you to download a tgz file and doing the above to install patches. A lot of Linux only users I know would use Free BSD if the patching system was something more Slackware like. And I don't consider it a rip off to make a system like that because well, Slackware is a supporter of BSD. The Slackware Essentials book I bought has BSD on the back of it and BSD is also listed as a supporter of Slackware, so I see no Moral problem with creating something for Free BSD that would allow this. >From what I've seen in portupgrade, you have to use a key... Which is nice and all, but it defeats the purpose when I've personally seens omeone say "Ugh you have to do all this just to set up portupgrade? and you have to recompile the Kernel for that Telnet update????"... Explanations as to why don't work. I just personally feel there would be a lot more boxes getting patches installed if you could do it like Slackware, or Linux in general, and allow for patches that you just install with one command. RedHat and some other distros use RPM, and they have their own update tools, but if you wanted you could just download the RPMs and do rpm -U to update. Slackware I've shown already. It's a good system. >From what I've understood, Free BSD doesn't usually do binarys.... I could be wrong here as I'm no positive... But I really think it would be for the best if there was something added to Free BSD where you could juts install patches the way you do Linux. I mean you wouldn't have to remove the other system that is in use now, and as I saiud portupgrade is a good start, however for the people I talk to it doesn't seem to be enough. I'd love to see somethign like this added into Free BSD where for the people who like the updates the way they are now could keep using that way, and for the new comers and people who aren't used to it, they could use the other way. Like Is aid Linux has two ways, you can use an update tool like Redhat's up2date, or you can download the RPMs yourself. Slackware has Swaret, slackpkg, and slapt-get, or you can simply download the patches which are already .tgz files, and use upgradepkg to install them. I think the benifits would be great and more people would use it if they knew when a new security problem came out in Free BSD all they had to do was download a patch and type upgradepkg, or type patch and it installed like this. And then a front end could be done where you had a GUI to use for this too, And think of how many new users would be using it when they knew how easy it was? I support Free BSD either way, I buy books, and I buy the CD sets to help out. And I will continue using it either way, I just would love tos ee somethign like this implemented. As would a lot of others in my area. I'd do it all myself and release it if I could code good enough to do something like this but until I can I can at least point out a good idea. -Allen. Buying Free BSD power paks since 4.0 > -- > brandon s. allbery [linux,solaris,freebsd,perl] > allbery@kf8nh.com > system administrator [openafs,heimdal,too many hats] > allbery@ece.cmu.edu > electrical and computer engineering, carnegie mellon university > KF8NH > > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"