From owner-freebsd-security@FreeBSD.ORG Mon May 22 15:14:50 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AFDAC16B383 for ; Mon, 22 May 2006 15:14:50 +0000 (UTC) (envelope-from anonymous@sefao.com) Received: from do.sefao.com (do.sefao.com [66.45.33.203]) by mx1.FreeBSD.org (Postfix) with SMTP id C790243D6E for ; Mon, 22 May 2006 15:14:49 +0000 (GMT) (envelope-from anonymous@sefao.com) Received: (qmail 10729 invoked by uid 80); 22 May 2006 15:20:11 -0000 Date: 22 May 2006 15:20:11 -0000 Message-ID: <20060522152011.10728.qmail@do.sefao.com> From: "FreeBSD User" To: freebsd security FreeBSD Stable X-Mailer: SEFAO Collaboration Suite 2.5 X-Mailman-Approved-At: Mon, 22 May 2006 19:12:30 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: RE: Re: FreeBSD Security Survey X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 May 2006 15:14:57 -0000 As an administrator, time is always an issue. FreeBSD has proven itself time and again. Having said that, one "wish" would be to have a default/built-in security update mechanism. Since time is always and issue, if the system could by default (without an admin having to write scripts and/or apps, or manually update) update itself for both system and installed ports/packages, it likely would reduce security issues exponentially. This of course would be a massive project/challenge. Varying system and kernel configurations alone would make this a huge challenge, not to mention the potential security implications. The survey is a great idea. I suggest adding a section for administrators to add comments and/or "wishes". Sejo Brent Casavant wrote: > On Sun, 21 May 20 06, Colin Percival wrote: > > >>In order to better understand >>which FreeBSD versions are in use, how people are (or arenīt) keeping >>them updated, and why it seems so many systems are not being updated, I >>have put together a short survey of 12 questions. > > > I applaud this survey, however question 9 missed an important point, > at least to me. I was torn between answering "less than once a month" > and "I never update". > > While I find ports to be the single most useful feature of the FreeBSD > experience, and canīt thank contributors enough for the efforts, I on > the other hand find updating my installed ports collection (for security > reasons or otherwise) to be quite painful. I typically use portupgrade > to perform this task. On several occasions I got "bit" by doing a > portupgrade which wasnīt able to completely upgrade all dependencies > (particularly when X, GUIīs, and desktops are in the mix -- though I > always follow the special Gnome upgrade methods when appropriate). > > I canīt rule out some form of pilot error, but the end result was pain. > > After several instances of unsatisfactory portupgrades (mostly in the > 5.2 through early 5.4 timeframe), I adopted the practice of either not > upgrading ports at all for the life of a particular installation on a > machine (typically about one year), or when necessary by removing *all* > ports from the machine, cvsupīing, and reinstalling. This has served > me quite well, particularly considering the minimal threat profile these > particularly systems face. > > So, in short, thatīs why *I* rarely update ports for security reasons. > > There are steps that could be taken at the port maintenance level that > would work well for my particular case, however thatīs beyond the scope > of the sur vey. Thanks for taking the time put the survey together, I > certainly hope it proves useful. > > Thank you, > Brent Casavant I share this frustration with you. I was once told that the pain in upgrading is due largely to a somewhat invisible difference between installing a pre-compiled package, and building+installing a port. In theory, if you stick to one method or the other, things will stay mostly consistent. But if you mix them, and particularly if you update the ports tree in the process, the end result is a bit more undefined. One thing that I wish for is that the ports tree would branch for releases, and that those branches would get security updates. I know that this would involve an exponentially larger amount of effort from the ports team, and I donīt fault them for not doing it. Still, it would be nice to have. Scott _____________________________________ __________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"