Date: Wed, 31 Jul 2013 16:08:32 +0930 From: Shane Ambler <FreeBSD@ShaneWare.Biz> To: freebsd-stable@freebsd.org Subject: Re: Bind in FreeBSD, security advisories Message-ID: <51F8B0E8.8090608@ShaneWare.Biz> In-Reply-To: <51F7E352.30300@digsys.bg> References: <CAO%2BPfDctepQY0mGH7H%2BgOSm4HJwhe-RCND%2BmxAArnRxpWiCsjg@mail.gmail.com> <1375186900.23467.3223791.24CB348A@webmail.messagingengine.com> <51F7B5C7.6050008@digsys.bg> <CAOgwaMt4G02yhU0cbiq_EEwhi4=mgt2kLGJf0Rgb8t9wECsGJA@mail.gmail.com> <51F7C07C.9060606@digsys.bg> <op.w01e3qhl8527sy@ronaldradial.versatec.local> <51F7E352.30300@digsys.bg>
next in thread | previous in thread | raw e-mail | index | archive | help
On 31/07/2013 01:31, Daniel Kalchev wrote: > But here is an idea: Remove BIND from HEAD overnight and see how many > will complain ;-) If nobody complains, don't put it back in. Or change the default to off. If you want bind add WITH_BIND=yes to src.conf It's hard to say FreeBSD is a safe and secure OS when part of the base install is always being shown to have security flaws. New features need to prove they are reliable before they are accepted into a release yet we allow something that has a long proven history of being a source of security concerns. For something that needs to be constantly updated in between system updates then ports is the place to install it from. I think it is less about whether bind is useful and needs to be in base and more about should every user of FreeBSD be open to security issues or should a user have the option to say "yes I want potentially insecure software on my machine". The ports system allows messages that make it obvious to the user about security concerns. Yes many users know the bind utilities and rely on them but a lot of users have no idea how to use them. I expect that the bind tools are used by a number of users that know what they are doing and need them for testing and debugging issues, they also know how to install them when they need them. I believe most users would not need or use these tools. How many people setup and use a FreeBSD machine without adding something from ports or packages? And yes I setup my own dns server to resolve internal host names instead of filling /etc/hosts with entries. As for the tools like dig and host, I rarely use them.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?51F8B0E8.8090608>