FreeBSD Security Survey

[Allen]

On Mon, May 22, 2006 at 12:06:54AM -0400, Brandon S. Allbery KF8NH wrote:
> 
> On May 21, 2006, at 11:55 , Colin Percival wrote:
> 
> >The Security Team has been concerned for some time by anecdotal  
> >reports
> >concerning the number of FreeBSD systems which are not being promptly
> >updated or are running FreeBSD releases which have passed their End of
> >Life dates and are no longer supported. In order to better understand
> >which FreeBSD versions are in use, how people are (or aren't) keeping
> >them updated, and why it seems so many systems are not being  
> >updated, I
> 
> I have a 6-STABLE box that is not going to be updated to 6.1 any time  
> soon, because my personal mail will have to be offline while I do so  
> --- including nuking and rebuilding all ports because the ports tree  
> has been thrashed by multiple low level updates that affect a large  
> percentage of the tree --- and it's only a 600MHz box so it will be  
> offline for most of a week during that upgrade.  And I'm uncertain  
> how downgrading it to 6.0-RELEASE+security patches will complicate  
> things (downgrading via cvsup/buildworld is not a supported option,  
> last I checked).  Granted, I probably should have stuck with 6.0-R  
> --- but then, experience has shown me that the more reliable option  
> is to wait a week or two after release and then install -STABLE.
> 
> In short:  keeping FreeBSD up to date tends to be painful at best.

I'd have to agree, though it's much better than some systems, it's still
something I'd like to see some improvement on.

For example, I understand the reasons for how Free BSD does things, I do.

However, one thing I'd love to see is a much better tool for handling
updates and upgrades.

I may get reamed for what I'm about to say, but I'm willing to deal with
whatever happens with this:

I'd like to see Free BSD include an approach to updates in the way
Slackware Linux does...

Now before I get 10,000 emails saying I'm stupid or something to that
effect let me explain:

I've been using supporting and telling about Free BSD for many years. When
I got my first computer, I had installed Free BSD not long after and that
was coming from Windows 95 / 98 SE.

One thing that always made me mad was when a new security flaw came out.

On my Slackware machines, it was no problem at all, I'd use wget to grab
the patch .tgz file, then do this:

upgradepkg *.tgz

I'd go get coffee or somethign and come back to all patches being
installed.

I know about portupgrade, and it's a good start, but I think there would be
huge benifit from a tool that allows you to download a tgz file and doing
the above to install patches.

A lot of Linux only users I know would use Free BSD if the patching system
was something more Slackware like. And I don't consider it a rip off to
make a system like that because well, Slackware is a supporter of BSD.

The Slackware Essentials book I bought has BSD on the back of it and BSD is
also listed as a supporter of Slackware, so I see no Moral problem with
creating something for Free BSD that would allow this.

>From what I've seen in portupgrade, you have to use a key... Which is nice
and all, but it defeats the purpose when I've personally seens omeone say
 "Ugh you have to do all this just to set up portupgrade? and you have to
recompile the Kernel for that Telnet update????"...

Explanations as to why don't work.

I just personally feel there would be a lot more boxes getting patches
installed if you could do it like Slackware, or Linux in general, and allow
for patches that you just install with one command.

RedHat and some other distros use RPM, and they have their own update
tools, but if you wanted you could just download the RPMs and do rpm -U to
update.

Slackware I've shown already. It's a good system.

>From what I've understood, Free BSD doesn't usually do binarys.... I could
be wrong here as I'm no positive...

But I really think it would be for the best if there was something added to
Free BSD where you could juts install patches the way you do Linux.

I mean you wouldn't have to remove the other system that is in use now, and
as I saiud portupgrade is a good start, however for the people I talk to it
doesn't seem to be enough.

I'd love to see somethign like this added into Free BSD where for the
people who like the updates the way they are now could keep using that way,
and for the new comers and people who aren't used to it, they could use the
other way.

Like Is aid Linux has two ways, you can use an update tool like Redhat's
up2date, or you can download the RPMs yourself.

Slackware has Swaret, slackpkg, and slapt-get, or you can simply download
the patches which are already .tgz files, and use upgradepkg to install
them.

I think the benifits would be great and more people would use it if they
knew when a new security problem came out in Free BSD all they had to do
was download a patch and type upgradepkg, or type patch and it installed
 like this.

And then a front end could be done where you had a GUI to use for this too,
And think of how many new users would be using it when they knew how easy
it was?

I support Free BSD either way, I buy books, and I buy the CD sets to help
out. And I will continue using it either way, I just would love tos ee
somethign like this implemented. As would a lot of others in my area.

I'd do it all myself and release it if I could code good enough to do
something like this but until I can I can at least point out a good idea.

-Allen. Buying Free BSD power paks since 4.0






 
> -- 
> brandon s. allbery     [linux,solaris,freebsd,perl]       
> allbery at kf8nh.com
> system administrator  [openafs,heimdal,too many hats]   
> allbery at ece.cmu.edu
> electrical and computer engineering, carnegie mellon university       
> KF8NH
> 
> 
> 
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"