From owner-freebsd-stable@FreeBSD.ORG Mon Dec 15 11:34:09 2014 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A7449BDB for ; Mon, 15 Dec 2014 11:34:09 +0000 (UTC) Received: from bizet.nethelp.no (bizet.nethelp.no [195.1.209.33]) by mx1.freebsd.org (Postfix) with SMTP id E4FF0E73 for ; Mon, 15 Dec 2014 11:34:08 +0000 (UTC) Received: (qmail 30650 invoked from network); 15 Dec 2014 11:34:05 -0000 Received: from bizet.nethelp.no (HELO localhost) (195.1.209.33) by bizet.nethelp.no with SMTP; 15 Dec 2014 11:34:05 -0000 Date: Mon, 15 Dec 2014 12:34:05 +0100 (CET) Message-Id: <20141215.123405.74723741.sthaug@nethelp.no> To: ronald-lists@klop.ws Subject: Re: BIND chroot environment in 10-RELEASE...gone? From: sthaug@nethelp.no In-Reply-To: References: <20131203.223612.74719903.sthaug@nethelp.no> <20141215.082038.41648681.sthaug@nethelp.no> X-Mailer: Mew version 3.3 on Emacs 21.3 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: freebsd-stable@freebsd.org X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Dec 2014 11:34:09 -0000 > > > > Removing the changeroot environment and symlinking logic is a net > > disservice to the FreeBSD community, and disincentive to use FreeBSD. > > > > > > Steinar Haug, Nethelp consulting, sthaug@nethelp.no > > Isn't this reasoning a bit flawed? Something hurt you so you state it is > hurting a whole community. > > I, for one, am glad the security updates of the Bind software are now > better maintainable across all FreeBSD version. I don't see the connection between removing BIND from the base system (I agree that this makes BIND updates better maintainable) and the complete removal of the changeroot/symlink functionality. > NB: using a jail might give an easier to maintain secure environment for > bind than a chroot. With more restrictions to the process also. Absolutely agree. However, that requires time to learn jails properly, which I don't have right now. Thus *for me*, it would have been much nicer if the BIND ports had kept the changeroot/symlink functionality that (as far as I know) Doug Barton put in. I don't claim to speak for anybody but myself :-) Steinar Haug, Nethelp consulting, sthaug@nethelp.no