Date: Thu, 18 Apr 2002 15:43:38 -0700 From: Benjamin Krueger <benjamin@macguire.net> To: Jeff Palmer <scorpio@drkshdw.org> Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip Message-ID: <20020418154338.D23267@rain.macguire.net> In-Reply-To: <012901c1e725$da237e90$0286a8c0@jeffrey>; from scorpio@drkshdw.org on Thu, Apr 18, 2002 at 06:10:30PM -0400 References: <4.3.2.7.2.20020417230144.032ad390@nospam.lariat.org> <200204171923.g3HJNga58899@freefall.freebsd.org> <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <012901c1e725$da237e90$0286a8c0@jeffrey>
next in thread | previous in thread | raw e-mail | index | archive | help
> ----- Original Message ----- > From: "Brett Glass" <brett@lariat.org> > To: "Christopher Schulte" <schulte+freebsd@nospam.schulte.org>; > <security@FreeBSD.ORG> > Sent: Thursday, April 18, 2002 12:10 PM > Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip > > > > At 11:11 PM 4/17/2002, Christopher Schulte wrote: > > > > >You can synchronize your source tree and recompile. See: > > > > > >http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/synching.html > > > > Alas, this is not an acceptable solution. > > > > I realize that many people use FreeBSD on non-mission-critical systems, or > > to tinker with, and can afford downtime. But we need to create and > maintain > > production machines. > > > > I hope that you can understand that doing a CVSup and then rebuilding the > > world every night (slowing the system to a crawl in the process and > > creating a system which might or might not be 100% stable) is not an > > acceptable solution. Nor is downloading a random snapshot. (Which one > > can't seem to do anyway these days; releng4.freebsd.org is refusing > > > > What is needed is a known good "p3" (or "p-whatever") build that can be > > installed quickly with minimum downtime. Yet, despite the fact that > > people routinely refer to (for example) "4.5-RELEASE-p3", no such build > > seems to actually exist. For those of us who create and manage production > > servers, there should be. > > > > --Brett Glass * Jeff Palmer (scorpio@drkshdw.org) [020418 15:08]: > It's not the FreeBSD communities fault if you don't have a non-critical > machine to test a cvsup, before going "live" in a production environment. > Most respectable companies with mission critical servers would do so. > > It's also not our fault if cvsup is "not an acceptable solution" in your > curcumstances. It works for the rest of the world. > > Get off your high horse, and mock up a server, cvsup test it, and then > upgrade your production servers. If this is still unacceptable, Please feel > free to code up your own patches, apply them, and quit bitching on the > mailing lists? > > Jeff There seems to be a lot of animosity among people, rather than constructive discussion of the issue that has been raised. This can't be too productive. Sometimes an improvement suggestion is just an improvement suggestion, and not an accusation or hostile criticism. I think everyone here wants to see The Project improve and benefit us all. Like it or not, Brett has raised a concern which is entirely valid and echoed by many system administrators. ( I have a feeling the number is not small ) FreeBSD currently does not enable easy maintainance between critical release points for large server environments. Using cvsup to maintain source builds for environments like these ( say 400 servers or more ) is not only unacceptable without an on staff developer and release engineer, it is infeasible. For those of you who would be quick to note that "Corporations with 400 servers should be able to afford a developer and release engineer" please note that 400 NT, Solaris, AIX, or HP-UX servers can be maintained by a small team of administrators, and do not require these extra resources. If you can still convince them to go with FreeBSD despite the extra salaries and resources instead of the ease ( and insurance ) of buying a support contract from the vendor, I commend you. Marketing is not my gig. Nobody expects a new system to replace the current and trustworthy cvsup method. By the same token, nobody expects The Project to support every possible hardware/software configuration out there. On the flip side, FreeBSD is not like NetBSD or Linux in that we don't support 40 architectures, and a few household appliances. Currently, we have 2 major architectures spanning 3 processors. Intel and AMD processors on the PC, and Alpha. Sparc and IA64 may be considerations in the future. For now, any patches or builds of this nature could very well be limited to 3 supported base architectures. Typically, we have maybe 2 or 3 critical releases of this nature per month. That comes to 3 builds three times a month, not a considerable strain, for the benefit of releasing patches that folks will use. I should like to note that this kind of system would be an excellent opportunity for a FreeBSD support company to pick up some slack that perhaps The Project doesn't have the resources to cover. It could potentially be a valuable service for customers and users alike. -- Benjamin Krueger "Life is far too important a thing ever to talk seriously about." - Oscar Wilde (1854 - 1900) ---------------------------------------------------------------- Send mail w/ subject 'send public key' or query for (0x251A4B18) Fingerprint = A642 F299 C1C1 C828 F186 A851 CFF0 7711 251A 4B18 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020418154338.D23267>