wmoran at potentialtech.com
Sun Jun 15 23:30:02 PDT 2003
Thanjee Neefam wrote:
> The key barrier to FreeBSD is java. I go to
> http://www.freebsd.org/java/ and the main text says FreeBSD supports
> 1.1.8, which isn't good enough for my needs.
> However, there is also a 1.4 link on that page, but that page says the
> FreeBSD version is currently missing features.
I haven't used Java on FreeBSD much, but I didn't find anything missing
when I did. I'm sure there are others better suited to answer this, however.
> This is the second key issue. I know of someone who runs an old
> open-source OS (about 3 versions behind the current), who doesn't know
> how to patch his box unless he downloads 4 or so CDs. That box was
> recently compromised and the fix that person performed was to rebuild
> the machine with the same old OS, and recover data from tape.
I can't imagine what that person was thinking? But you say "old open-source
OS" ... if it was FreeBSD, then the admin was a fool.
I have several boxes I admin, and keeping them up to date is easy. If
you let a machine slip so far behind that you can't easily update it, then
it's your own fault. If no security problems force you to update earlier,
you should be able to update once a year with no problems and stay reasonably
> I like being able to browse to www.debian.org/security and to know that
> on certain days as many as 5 patches are released. And that with a
> single command I can apply all the patches I need.
> Now, FreeBSD has a similar page freebsd.org/security but it doesn't list
> as many bugs. Does that mean FreeBSD has fewer holes?
I guess. If Debian's security page has more listed, then Debian has more
holes. All the known holes in FreeBSD are listed there.
> Or does it mean
> it takes longer to fix them in FreeBSD?
Heavens no. FreeBSD fixes problems as fast or faster than any other
project I'm aware of.
> Or that people are not testing
> the security of BSD as much as Debian?
Well, I don't know how much testing the Debian folks do, but FreeBSD is
heavily used and abused by a lot of people. If security it a major
concern, then you should use OpenBSD, which is the most secure system
out there, period.
> At the top of the debian security page is directions on how to apply all
> relevent patches. There is no such information on the FreeBSD security
> page (that I could see, correct me if I am wrong). Instead the
> directions are attached to the Security Advisory, and involve
> recompiling your operating-system/kernal and rebooting (at least it did
> for the two I checked 'openssl' and 'syncookies' SA for 4.8
This is how things are done on FreeBSD. If you can apply a patch to the
kernel without rebooting in Debian, then the Debian folks are far ahead of
anything I've seen!
Besides, different security issues may require different levels of activity
to patch, so trying to give one set of rules for every single security patch
would be difficult, impossible, or inaccurate. A patch to the kernel will
definately require a reboot, while a patch to inetd would require rebuilding
inetd and doing "killall inetd; inetd" and save you the reboot. Trying to
make one set of instructions for all patches would have to be lowest
common denominator, thus telling the user to reboot after patching inetd,
when that's not needed.
I've never had any complaints with the "upgrade your source to the latest
security patch version, rebuild the OS and reboot" system of fixing flaws.
On the slowest machines I admin, this can still be done before lunchtime
and the actual downtime is less than 15 minutes.
More information about the freebsd-questions