Date: Thu, 19 Mar 2015 01:02:45 +0100 From: Polytropon <freebsd@edvax.de> To: Chris Stankevitz <chrisstankevitz@gmail.com> Cc: reebsd-questions <freebsd-questions@freebsd.org> Subject: Re: FreeBSD recommends not using base unbound for an authoritative server Message-ID: <20150319010245.17075fe5.freebsd@edvax.de> In-Reply-To: <CAPi0psurwfKixg3S_pQ7_a9QOCJ2yTBqQncxHB75nzX-%2BnZszw@mail.gmail.com> References: <CAPi0pssPrcJgF71AvQ-M1RZt=%2Btv=6FTGtwhi9_bX6-Q-7b7cQ@mail.gmail.com> <5508B8EB.3050907@gmail.com> <CAPi0psuy1swnCB%2B5NQbPrAAA=E3E377CcOPvvez%2Be4Ze6zuVZQ@mail.gmail.com> <CAKE2PDvy7CRW_O_XR9oHtHBe8gO9THVGGz1BdN6dPbZSGk8etA@mail.gmail.com> <CAPi0psurwfKixg3S_pQ7_a9QOCJ2yTBqQncxHB75nzX-%2BnZszw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 18 Mar 2015 12:49:34 -0700, Chris Stankevitz wrote: > Got it, thank you. In my original post I described my excitement > about using the FreeBSD base packages for a number of reasons: Intermission: Note that the base system does not exactly consist of individual packages, as it does in various Linux distributions (where there is no real "base system" at all, just an arbitrary combination of packages, and even the kernel can be considered a package). The OS is being distributed as a "whole unit", and special quality control is being applied before -RELEASE-pX patches are made available. Things are tested much more before you can run freebsd-update and get the update. There is a difference to -STABLE and -HEAD which might get security updates faster, but with the risk (especially on -HEAD, or -CURRENT) of not even working. You listed some advantages that apply to the OS more than to ports: > - documented in handbook Exactly. :-) > - security problems are described in FreeBSD announcements Also correct. But you can use auditing tools (and "pkg audit") to get informed quickly when an installed port has security issues. > - easy updates with freebsd-update Also correct. > - infrequent updates What does "infrequent" mean? There is no "5 year plan" which defines when and how updates are being performed. It's true that the FreeBSD OS may need one day or two to test and supply a security patch for software which also exists in ports or is being ported from another OS, and it might be that such an update is available more quickly through ports, but those who release the original (!) patch, maybe for a Linux program, do not test anything in relation to FreeBSD. However, when you're updating your ports collection with "portsnap" or "svn update", the update is usually faster than it would be for an OS-related software. That is the reason why ports are encouraged when you need to fix security issues quickly. > I'm still left wondering why the FreeBSD handbook recommends favoring > ports over base when running an externally visible unbound server. THe port maintainer is quicker than the OS team because he has to deal with less things. :-) > However, from the response I got here it seems clear that the reason > is not "security" or "trust". It's just some other [yet unspecified] > reason. It's probably not trust (no more or less than the OS), but it is security, under the name of speed. It's also the point _where_ you apply a change: at the OS level or in the "additionally installed software" (which is the ports collection). Updating the OS usually involves a reboot, but updating a port often does not. So that might also be a reason when downtime is a major concern. Summary: There is no "the one real way". It depends on your priorities and choices. -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150319010245.17075fe5.freebsd>