FreeBSD recommends not using base unbound for an authoritative server

Polytropon freebsd at
Thu Mar 19 00:02:50 UTC 2015

On Wed, 18 Mar 2015 12:49:34 -0700, Chris Stankevitz wrote:
> Got it, thank you.  In my original post I described my excitement
> about using the FreeBSD base packages for a number of reasons:

Intermission: Note that the base system does not exactly
consist of individual packages, as it does in various
Linux distributions (where there is no real "base system"
at all, just an arbitrary combination of packages, and
even the kernel can be considered a package). The OS is
being distributed as a "whole unit", and special quality
control is being applied before -RELEASE-pX patches are
made available. Things are tested much more before you can
run freebsd-update and get the update.

There is a difference to -STABLE and -HEAD which might
get security updates faster, but with the risk (especially
on -HEAD, or -CURRENT) of not even working.

You listed some advantages that apply to the OS more than
to ports:

> - documented in handbook

Exactly. :-)

> - security problems are described in FreeBSD announcements

Also correct. But you can use auditing tools (and "pkg audit")
to get informed quickly when an installed port has security

> - easy updates with freebsd-update

Also correct.

> - infrequent updates

What does "infrequent" mean? There is no "5 year plan" which
defines when and how updates are being performed. It's true
that the FreeBSD OS may need one day or two to test and supply
a security patch for software which also exists in ports or
is being ported from another OS, and it might be that such an
update is available more quickly through ports, but those who
release the original (!) patch, maybe for a Linux program, do
not test anything in relation to FreeBSD. However, when you're
updating your ports collection with "portsnap" or "svn update",
the update is usually faster than it would be for an OS-related
software. That is the reason why ports are encouraged when you
need to fix security issues quickly.

> I'm still left wondering why the FreeBSD handbook recommends favoring
> ports over base when running an externally visible unbound server.

THe port maintainer is quicker than the OS team because he has
to deal with less things. :-)

> However, from the response I got here it seems clear that the reason
> is not "security" or "trust".  It's just some other [yet unspecified]
> reason.

It's probably not trust (no more or less than the OS), but it
is security, under the name of speed. It's also the point _where_
you apply a change: at the OS level or in the "additionally
installed software" (which is the ports collection). Updating
the OS usually involves a reboot, but updating a port often
does not. So that might also be a reason when downtime is a
major concern.

Summary: There is no "the one real way". It depends on your
priorities and choices.

Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...

More information about the freebsd-questions mailing list