Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 15 Dec 2014 11:41:29 +0100
From:      Michelle Sullivan <michelle@sorbs.net>
To:        Chris Knight <stryqx@gmail.com>
Cc:        freebsd-stable@freebsd.org
Subject:   Re: BIND chroot environment in 10-RELEASE...gone?
Message-ID:  <548EBAD9.8050701@sorbs.net>
In-Reply-To: <CAHgj5TQrQ0er0ntsuGAF_e8DRK4NTXzqoxxtYYh3orZZH8_K6w@mail.gmail.com>
References:  <CAN6yY1sVGiQFNkoi0mGZs7grJ5SMAui-rDO1e8UDAs0PTUVL9g@mail.gmail.com> <alpine.BSF.2.00.1312031407090.78399@roadkill.tharned.org> <20131203.223612.74719903.sthaug@nethelp.no> <20141215.082038.41648681.sthaug@nethelp.no> <CAHgj5TQrQ0er0ntsuGAF_e8DRK4NTXzqoxxtYYh3orZZH8_K6w@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Chris Knight wrote:
> Howdy,
>
> On 15 December 2014 at 18:20,  <sthaug@nethelp.no> wrote:
>   
>> [snip]
>> <rant>
>> Removing the changeroot environment and symlinking logic is a net
>> disservice to the FreeBSD community, and disincentive to use FreeBSD.
>> </rant>
>>
>>     
> +1
> This, and the mess that is pkg, is making me reconsider FreeBSD as my
> Open Source OS of choice, after 20 years of use.
> The patchwork quilt of components that makes up a Linux distro doesn't
> need to be complemented by further FreeBSD releases :-(
>
>   
+1

Ronald Klop wrote:
>
> Isn't this reasoning a bit flawed? Something hurt you so you state it
> is hurting a whole community.
>
Not really, the problem is you have production environments, people
change something (sometimes announced in advance, sometimes not) a
security issue comes out and you "upgrade"/"pactch" and suddenly your
production environment is broken because the patch didn't just close a
security hole, it rewrote the installation in a way that was
incompatible with the running environment.

> I, for one, am glad the security updates of the Bind software are now
> better maintainable across all FreeBSD version.
> NB: using a jail might give an easier to maintain secure environment
> for bind than a chroot. With more restrictions to the process also.

That it might be, but that doesn't justify changing everything on a
whim.  Happened to me with the Bapt 1st Sept port patches to force
people to switch to pkg...  I still don't have my production machines
switched over, and despite Bapt doing his damnedest in breaking
everything, I now have a working build server (with considerable
hacking) using the old package system and a pkgng build system so I can
build both and continue to migrate servers.  However, I spend most of my
time patching the Mk/* and Uses/* directories  to keep it working..
which majority of the time is just copying new Uses/* files into the old
build system and removing the relevant code from the old *.mk files..

Why haven't I switched to pkgng?  Production systems that require
regression testing dev env's and instead of doing that I'm building and
patching systems to make the build process work... and why am I doing
that?  Because some patches I required in production (some to make it
work, some security related) were not patched back to the quarterly
where it all worked *despite asking for them to be* so I had to go down
the path of making the old build system work again...

Now consider this drive to make FreeBSD more like another Linux with a
different kernel....  Why would people switch to FreeBSD now, they might
just as well stay with Linux and all the packaging problems..

Consider the above to Solaris and a problem I had yesterday... I still
have a few Solaris servers, and used to use 'sunfreeware' .. was always
a pain to use for any thing that needed other options than those
compiled...  but it was good for getting a working compiler then could
build my own software the hard way... So when 'sunfreeware' stopped
being 'free' I switched to OpenCSW...  48 hours ago I had to update and
upgrade 3 of the systems due to the latest BIND9 security issue.. found
out, Solaris 8 is not supported anymore (they still have all the old
working packages - EOL'd - *not broken* - just frozen in time, no new
patches...)  Solaris 9 had gone the same way... again *not broken*.. and
my Solaris 10 box well they had build the packages against a patched
LibC that was incompatible with older systems so with the upgrade I
found my system had no working sudo, no working ssh, nor any other tools
... so much for 'pkgutil -U -u' (which is the equiv of 'pkg -f upgrade'
in PKGNG) not breaking anything...  Turns out it was my problem because
of a missing base patch, which I applied and got it all back up and
running again... however that was because I still had a root shell over
ssh and was able to complete patching before losing my connection
otherwise I wouldn't have been able to do anything without remote hands...

Now my point?  I went to the #OpenCSW IRC channel and managed to get a
hold of one of the developers that were able to help with the issue,
tell me which patch etc.. but it didn't stop there... I commented that
it would be nice if my server wasn't so easily fucked because of a
missing patch and it should at least be announced...  (I was a little
pissed off and tetchy) however, complete professionalism there, they
helped with the patchid, indicated that the particular patch should have
been applied in 2008.. which led me to find out that the 'automated
patching' daemon that Sun made had actually failed to patch anything...
they came to an agreement (took on board what I said immediately) and
have decided to code a patch so that they pkgutil will check for
required base packages and refuse to patch anything (including the
catalog) to a version of the system that requires a missing patch.  At
the same time they updated the website immediately to indicate the issue
as a warning to people that might be in the same situation as me... 
This patch they are working on will effectively create a 'rolling EOL'
for a particular build set... ie everything will continue working except
you can't patch to a level that requires a BaseOS pre-req... so if you
need a patched piece of software and don't have a pre-req OS patch you
can still download all the latest working tools so you can roll your own
until you can BaseOS patch.... what a refreshing change...  Developers
that take on good ideas without forcing upgrades first or forcing their
own agenda's.

Harsh... yes maybe... and my apologies to those FreeBSD developers that
I have had private email convos with to resolve issues and patches that
have also been as helpful..  but theirs is (mostly) not the public voice
of change in FreeBSD...

Sorry for the rant. (and no I didn't proof-read before hitting send -
spend enough time writing it!)

-- 
Michelle Sullivan
http://www.mhix.org/




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?548EBAD9.8050701>