Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 11 Apr 2001 14:06:22 -0400 (EDT)
From:      Robert Watson <rwatson@freebsd.org>
To:        Scott Johnson <sjohn@airlinksys.com>
Cc:        freebsd-security@freebsd.org
Subject:   Re: Security Announcements
Message-ID:  <Pine.NEB.3.96L.1010411135944.84384I-100000@fledge.watson.org>
In-Reply-To: <20010411125207.A95503@ns2.airlinksys.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 11 Apr 2001, Scott Johnson wrote:

> I just want to add my voice as to how I use FreeBSD. Simply saying 'use
> -STABLE' to those of us running -RELEASE on production systems isn't
> appropriate, since I believe we have valid reasons for running -RELEASE
> on our systems. These security issues are not so frequent that providing
> patches for -RELEASE should be too burdensome. In fact, if -STABLE was
> fixed, the fix is already available and could be applied to -RELEASE
> with little or no modification.  I've been pleased, actually, with how
> patches have been made available for -RELEASE until only recently, when
> both the bind and ntp vulnerabilities went by without patches. I
> thought, up till this discussion, that it was assumed that many run a
> -RELEASE, and that patches were supplied for that reason. I for one (and
> judging by the posts to this thread I'm not alone) use FreeBSD this way,
> and I ask that it be considered important to make security patches
> available for the latest -RELEASE. 

This has been a recognized problem with the current release practices for
a while, and for at least the past few months, it has been decided that
the practice will change for FreeBSD 4.3-RELEASE.  Rather than simply
creating a release tag on the RELENG_4 branch, we'll actually be generatin
a new RELENG_4_3 branch.  This will permit us to deploy security patches
on the branch and generate new patchlevel point tags as needed.  The main
goal in this was actually to make the life of the security-officer easier: 
right now CVS allows us to manage patches and changes in branches, but
when we generate patches for releases, there's not automated and
reproduceable way to do this.  Currently, the charter of the RELENG_4_3
branch will be that it simply carries security fixes, although it might
eventually also carry mission-critical functionality fixes or
work-arounds.  It will also allow users to cvs update/cvsup along that
branch to pick up all available critical release fixes, without picking up
new features, and permit easier generation of binary updates to the
release.

So the quick answer here is that the problem is already solved, we just
haven't had a release since the solution was agreed to by all the relevant
parties, so haven't seen any results yet.  When Jordan cuts 4.3-RELEASE in
a week or two, we'll get to see how well this works in practice.  It will
certainly make my life easier, both as a producer and consumer of security
fixes :-).

Robert N M Watson             FreeBSD Core Team, TrustedBSD Project
robert@fledge.watson.org      NAI Labs, Safeport Network Services



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1010411135944.84384I-100000>