Re: FreeBSD Security Survey
Quoting Paul Allen [EMAIL PROTECTED]: From Scott Long [EMAIL PROTECTED], Sun, May 21, 2006 at 11:44:27PM -0600: I share this frustration with you. I was once told that the pain in upgrading is due largely to a somewhat invisible difference between installing a pre-compiled package, and building+installing a port. In theory, if you stick to one method or the other, things will stay mostly consistent. But if you mix them, and particularly if you update the ports tree in the process, the end result is a bit more undefined. One thing that I wish for is that the ports tree would branch for releases, and that those branches would get security updates. I know that this would involve an exponentially larger amount of effort from the ports team, and I don't fault them for not doing it. Still, it would be nice to have. Huh? Really. What you say makes a certain amount of sense when pkg_add is used, but I haven't seen much evidence for problems with mixing ports and packages via portupgrade -P. The trouble comes not with packages but in the conflicting information between /var/db/pkg/ and the ports themselves. The former does not merely contain a stale version of the port dependency and origin information; it contains many snapshots of small slices of many different port dependency graphs (as the port tree evolves). Consistently using portupgade -rR, portinstall helps keep this under control but each pkg_add or make install in a port directory causes drift. Given that portupgrade is an optional tool and the handbook suggests the other form... well you see the trouble. But the situation is worse than this because of the manual interventions necessary to fixup the portsdb. These fixups easily create dependency graphs that never existed anywhere else before. Most often this happens because of ports being renamed, deleted, combined, etc--the trouble here is that the ports tree reveals no history about these actions. It is left to a program like portupgrade to heuristically guess!?! what has taken place. Now if you go through this process every week (every day?) usually the risk is small and it is obvious what to do, but this is not always so. Some speculation: I've always thought portupgrade did the Wrong Thing(tm) by consulting the dependency graph in /var/db. Better to merely learn which packages were installed and then exclusively use the port information... Maybe someone knows why that would be the wrong thing to do? May I insert a me too here? This (everything you've written here) has been my *only* reason for choosing not to upgrade immediately. I find the ease of using the ports system *glorious*, *_until_* it comes time to upgrade (installed ports). This is especially true when you have imposed subtle changes (inserted default options for the build/ install, created/ crafted ini/ conf files). Using make.conf *seemed* like the ultimate solution. That is, until you've found that you were on the leading edge of a major revision of a port, and those options are no longer supported, or have been renamed. Still, make.conf is a wonderful tool. But even w/o custom options/conf's inposed, upgrades through portupgrade (from my experience) is a trip to hell. That I never look forward to re-living/visiting. In short; there *must* be a better (less painful) way to handle upgrading the _installed_ ports. I only wish I could figure one out. Please note; this is a solicitation. ;) I am only adding (augmenting) to what Paul has stated here. (I build/manage some 50 FreeBSD boxes. So you can imagine the grief.) --Chris H. Paul ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED] -- Shameless self-promotion follows... ... or does it? - FreeBSD 5.4-RELEASE-p12 (SMP - 900x2) Tue Mar 7 19:37:23 PST 2006 / pgpRtA6dfllA3.pgp Description: PGP Digital Signature
Re: FreeBSD Security Survey
Quoting Ion-Mihai IOnut Tetcu [EMAIL PROTECTED]: On Mon, 22 May 2006 11:40:16 +0200 Marian Hettwer [EMAIL PROTECTED] wrote: ports tree in the process, the end result is a bit more undefined. One thing that I wish for is that the ports tree would branch for releases, and that those branches would get security updates. I know that this would involve an exponentially larger amount of effort from the ports team, and I don't fault them for not doing it. Still, it would be nice to have. I have to agree on that statement. I would love to see branched ports. This can get very important on servers, were you don't want to have major upgrades, but only security updates. I guess it's a question of manpower, hm? With the maintainers/commiters/physical_resources we have now this is impossible. Take a look at pav@'s PR stats page: http://www.oook.cz/bsd/prstats/ There are ~1000 new ports PRs per month. The PT Team has managed to close about the same number per month (fewer during the freeze, of course). Currently there are 551 open PRs. 238 in feedback state, etc. Would a survey help? As in ask the ports team and FreeBSD administrators? Maybe some will start to become port maintainer too, just to support the increased work on ports due to branching them... I would :) There are ~4300 unmaintained ports. Maybe you could start maintaining some of them _now_ ? This brings up a point I have been wanting to bring up for over a mos.; I adopted an orphaned port (contacted the owner, whom then relenquished ownership to me.). But found it _more_ than difficult to discover how to inform the fBSD port(s) system of it's new, *un*orphaned status. I read through the online doc's about it. But got dizzy with the circularness of it. Searching led to no _difinative_ answer(s) either. Is it still send pr just to update it's status? Couldn't there be an online form to change ownership/ stewardship? I *can* comprehend the send pr system. I simply can't understand how to change/ update ownership/ stewardship. Perhaps this is why so many of the orphaned ports remain in this state. --Chris H. -- IOnut - Un^d^dregistered ;) FreeBSD user Intellectual Property is nowhere near as valuable as Intellect BOFH excuse #146: Communications satellite used by the military for star wars -- Shameless self-promotion follows... ... or does it? - FreeBSD 5.4-RELEASE-p12 (SMP - 900x2) Tue Mar 7 19:37:23 PST 2006 / pgpSp33SjGs7X.pgp Description: PGP Digital Signature
Re: FreeBSD Security Survey
Chris H. wrote: This brings up a point I have been wanting to bring up for over a mos.; I adopted an orphaned port (contacted the owner, whom then relenquished ownership to me.). But found it _more_ than difficult to discover how to inform the fBSD port(s) system of it's new, *un*orphaned status. I read through the online doc's about it. But got dizzy with the circularness of it. Searching led to no _difinative_ answer(s) either. Is it still send pr just to update it's status? Couldn't there be an online form to change ownership/ stewardship? I *can* comprehend the send pr system. I simply can't understand how to change/ update ownership/ stewardship. Perhaps this is why so many of the orphaned ports remain in this state. Open a PR and simply set MAINTAINER to your own address. Use category 'ports' and and class 'change-request'. Frank ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD Security Survey
Quoting Frank Steinborn [EMAIL PROTECTED]: Chris H. wrote: This brings up a point I have been wanting to bring up for over a mos.; I adopted an orphaned port (contacted the owner, whom then relenquished ownership to me.). But found it _more_ than difficult to discover how to inform the fBSD port(s) system of it's new, *un*orphaned status. I read through the online doc's about it. But got dizzy with the circularness of it. Searching led to no _difinative_ answer(s) either. Is it still send pr just to update it's status? Couldn't there be an online form to change ownership/ stewardship? I *can* comprehend the send pr system. I simply can't understand how to change/ update ownership/ stewardship. Perhaps this is why so many of the orphaned ports remain in this state. Open a PR and simply set MAINTAINER to your own address. Use category 'ports' and and class 'change-request'. Will do. Thank you very much for taking the time to respond. --Chris H. Frank ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED] -- - FreeBSD 5.4-RELEASE-p12 (SMP - 900x2) Tue Mar 7 19:37:23 PST 2006 / pgpVmvm0UfPIK.pgp Description: PGP Digital Signature
Re: FreeBSD Security Survey
On May 22, 2006, at 12:38 AM, Brent Casavant wrote: So, in short, that's why *I* rarely update ports for security reasons. Another valid reason is configuration management. We run web services, and in order to ensure nothing breaks, we have to use a fixed set of code. Upgrading any piece of that requires many steps, including verifying functionality and checking for regressions, etc. Basically we have to run our full regression tests on any changes, then roll them out in a controlled fashion minimizing down time.
Re: FreeBSD Security Survey
On May 22, 2006, at 6:45 AM, Steven Hartland wrote: On good example of portupgrade going off on one is a simple upgrade of mtr we dont install any X on our machines so mtr-nox11 is installed. Whenever I've tried portupgrade in the past its always trolled of and started downloading and build the behemoth that is X, CTRL+C hence always ensues and I forget about upgrading until I really HAVE to. Well, then you've misconfigured your portupgrade. It never does so for me because I have WITHOUT_X11 and WITHOUT_GUI set in /etc/ make.conf (why two knobs, I don't know, but many ports use WITHOUT_GUI instead of WITHOUT_X11).
Re: FreeBSD Security Survey
From Scott Long [EMAIL PROTECTED], Sun, May 21, 2006 at 11:44:27PM -0600: I share this frustration with you. I was once told that the pain in upgrading is due largely to a somewhat invisible difference between installing a pre-compiled package, and building+installing a port. In theory, if you stick to one method or the other, things will stay mostly consistent. But if you mix them, and particularly if you update the ports tree in the process, the end result is a bit more undefined. One thing that I wish for is that the ports tree would branch for releases, and that those branches would get security updates. I know that this would involve an exponentially larger amount of effort from the ports team, and I don't fault them for not doing it. Still, it would be nice to have. Huh? Really. What you say makes a certain amount of sense when pkg_add is used, but I haven't seen much evidence for problems with mixing ports and packages via portupgrade -P. The trouble comes not with packages but in the conflicting information between /var/db/pkg/ and the ports themselves. The former does not merely contain a stale version of the port dependency and origin information; it contains many snapshots of small slices of many different port dependency graphs (as the port tree evolves). Consistently using portupgade -rR, portinstall helps keep this under control but each pkg_add or make install in a port directory causes drift. Given that portupgrade is an optional tool and the handbook suggests the other form... well you see the trouble. But the situation is worse than this because of the manual interventions necessary to fixup the portsdb. These fixups easily create dependency graphs that never existed anywhere else before. Most often this happens because of ports being renamed, deleted, combined, etc--the trouble here is that the ports tree reveals no history about these actions. It is left to a program like portupgrade to heuristically guess!?! what has taken place. Now if you go through this process every week (every day?) usually the risk is small and it is obvious what to do, but this is not always so. Some speculation: I've always thought portupgrade did the Wrong Thing(tm) by consulting the dependency graph in /var/db. Better to merely learn which packages were installed and then exclusively use the port information... Maybe someone knows why that would be the wrong thing to do? Paul ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD Security Survey
On 5/22/06, Colin Percival [EMAIL PROTECTED] wrote: If you administrate system(s) running FreeBSD (in the broad sense of are responsible for keeping system(s) secure and up to date), please visit http://people.freebsd.org/~cperciva/survey.html and complete the survey below before May 31st, 2006. One of those Missing Option messages: Whether valid or not, the reason that I would avoid a binary update system is that I customise CPUTYPE, and believe, rightly or wrongly, that this would make binary updating impossible. Of course, the main reason I would not use binary updating you/they have made source updating so easy! ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD Security Survey
On May 21, 2006, at 22:41, David Nugent wrote: A good failover strategy comes into play here. If you have one, then taking a single production machine off-line for a short period should be no big deal, even routine, and should not even be noticed by users if done correctly. This should be planned for and part of the network/system design. Yes, it definitely requires more resources to support, but I'll rephrase the same problem: what happens when (and I mean *when* and not *if*) a motherboard or network card fries or you suffer a hard disk crash (even 2+ drives failing at the same time on a raid array is not particularly unusual considering that drives are quite often from the same manufactured batch)? Lack of a failover on mission critical systems that *can't* be offline is like playing russian roulette. Failover sounds good in theory but has significant issues in practice that make it sometimes worse than the alternative. Take mail spools. If you failover, mail the user saw before has disappeared. Then when you fail back it reappears and newer messages disappear. This is hardly unnoticable. My users do not find that at all acceptable. Putting the mail spools on a different machine just moves that problem to the different machine. Trying to keep multiple spools consistent has problems also. I have watched raid system lose their data too. A nice power spike - 1.5Kv from a lightning strike in the local area will do it. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD Security Survey
On Monday 22 May 2006 01:44, Scott Long wrote: Brent Casavant wrote: On Sun, 21 May 2006, Colin Percival wrote: In order to better understand which FreeBSD versions are in use, how people are (or aren't) keeping them updated, and why it seems so many systems are not being updated, I have put together a short survey of 12 questions. I applaud this survey, however question 9 missed an important point, at least to me. I was torn between answering less than once a month and I never update. While I find ports to be the single most useful feature of the FreeBSD experience, and can't thank contributors enough for the efforts, I on the other hand find updating my installed ports collection (for security reasons or otherwise) to be quite painful. I typically use portupgrade to perform this task. On several occasions I got bit by doing a portupgrade which wasn't able to completely upgrade all dependencies (particularly when X, GUI's, and desktops are in the mix -- though I always follow the special Gnome upgrade methods when appropriate). I can't rule out some form of pilot error, but the end result was pain. After several instances of unsatisfactory portupgrades (mostly in the 5.2 through early 5.4 timeframe), I adopted the practice of either not upgrading ports at all for the life of a particular installation on a machine (typically about one year), or when necessary by removing *all* ports from the machine, cvsup'ing, and reinstalling. This has served me quite well, particularly considering the minimal threat profile these particularly systems face. So, in short, that's why *I* rarely update ports for security reasons. There are steps that could be taken at the port maintenance level that would work well for my particular case, however that's beyond the scope of the survey. Thanks for taking the time put the survey together, I certainly hope it proves useful. Thank you, Brent Casavant I share this frustration with you. I was once told that the pain in upgrading is due largely to a somewhat invisible difference between installing a pre-compiled package, and building+installing a port. In theory, if you stick to one method or the other, things will stay mostly consistent. But if you mix them, and particularly if you update the ports tree in the process, the end result is a bit more undefined. One thing that I wish for is that the ports tree would branch for releases, and that those branches would get security updates. I know that this would involve an exponentially larger amount of effort from the ports team, and I don't fault them for not doing it. Still, it would be nice to have. More ports seem to be separating out their different version into portname20, portname, portname21, etc. This takes out quite a bit of the updating woes without causing too much overhead for the maintainers. Since maintaining a security branch for releases would require too much overhead it might be nice to have mechanism to track the release version of the installed software. eg. For 6.0 release I installed lang/lua which is lua-5.0 Then when I cvsup next time the maintainer has created a lang/lua50 port for the old version and lang/lua is now version 5.1. It would be nice to have a mapping that I can say Stay with version 5.0.x and when I do a portupgrade it will see that lua-5.0 is installed so use lang/lua50 instead of lang/lua. As a port maintainer, I could probably live with that extra mapping. Though currently I try to keep a few jails configured on my desktop that match customer's configurations and perform updates in the jail first. Just to see it there will be any hiccups before actually performing the updates on a customer's system. I only have 3 basic configurations that I use so it's not that big of a deal for me. My biggest grip about updating the base system is the mergemaster step, but once mergemaster -U is cut into a release it should fix that annoyance. -- Anish Mistry pgpSYqKguxyBf.pgp Description: PGP signature
RE: FreeBSD Security Survey
Hi, We don't use binary update as we use custom kernels. We're using portaudit for security flaw with the installed ports but I don't think there is any equivalent for the base and kernel? I'm subscribed and I'm monitoring the FreeBSD Security Advisories mailing-list but there is (as far as I know) no easy system like portaudit to compare you installed base and kernel source tree against security advisories. Are there best practices in this area knowing that all my system are not running the same level of patches and non of them are running something else then -STABLE? I'll probably switch from -STABLE to -RELENG in the future (was not possible in the beginning as features we're looking for were only in -STABLE) and apply security fixes but I think it won't change the amount of work to perform compared to a non source based operating system. Regards, Benjamin Constant -Original Message- From: [EMAIL PROTECTED] [mailto:owner-freebsd- [EMAIL PROTECTED] On Behalf Of Colin Percival Sent: lundi 22 mai 2006 5:55 To: freebsd security; FreeBSD Stable Subject: FreeBSD Security Survey Dear FreeBSD users and system administrators, While the FreeBSD Security Team has traditionally been very good at investigating and responding to security issues in FreeBSD, this only solves half of the security problem: Unless users and administrators of FreeBSD systems apply the security patches provided, the advisories issued accomplish little beyond alerting potential attackers to the presence of vulnerabilities. The Security Team has been concerned for some time by anecdotal reports concerning the number of FreeBSD systems which are not being promptly updated or are running FreeBSD releases which have passed their End of Life dates and are no longer supported. In order to better understand which FreeBSD versions are in use, how people are (or aren't) keeping them updated, and why it seems so many systems are not being updated, I have put together a short survey of 12 questions. The information gathered will inform the work done by the Security Team, as well as my own personal work on FreeBSD this summer. If you administrate system(s) running FreeBSD (in the broad sense of are responsible for keeping system(s) secure and up to date), please visit http://people.freebsd.org/~cperciva/survey.html and complete the survey below before May 31st, 2006. Thanks, Colin Percival FreeBSD Security Officer ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED] The information contained in this transmission may contain privileged and confidential information. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD Security Survey
On Sun, 2006-05-21 at 23:44 -0600, Scott Long wrote: ports tree in the process, the end result is a bit more undefined. One thing that I wish for is that the ports tree would branch for releases, and that those branches would get security updates. I know that this would involve an exponentially larger amount of effort from the ports team, and I don't fault them for not doing it. Still, it would be nice to have. Yes, totally agree. That's the way OpenBSD ports tree works and it worked very well for me. Thus not to say FreeBSD's one didn't, but it takes a lot more attention, which isn't always a bad thing ;) -- Massimo.run(); ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD Security Survey
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi there, Scott Long wrote: Brent Casavant wrote: While I find ports to be the single most useful feature of the FreeBSD experience, and can't thank contributors enough for the efforts, I on the other hand find updating my installed ports collection (for security reasons or otherwise) to be quite painful. I typically use portupgrade to perform this task. On several occasions I got bit by doing a portupgrade which wasn't able to completely upgrade all dependencies (particularly when X, GUI's, and desktops are in the mix -- though I always follow the special Gnome upgrade methods when appropriate). Like Scott pointed out below, stick with either building from source, or using packages. Mixing them may have strange side effects. To give an example. I usually use portupgrade without using packages. But last time I needed to update my ports (on a production server, though private not corporate server), I used portupgrade -P (to use packages if available). It updated php, using packages, but unluckily the packages were built against apache13. I'm using apache20, so my php installation was trashed. Argh. But even more painful is the fact that portupgrade _always_ fails on some perl modules. Usually p5-XML-Parser. I don't know why, but it's annoying... ports tree in the process, the end result is a bit more undefined. One thing that I wish for is that the ports tree would branch for releases, and that those branches would get security updates. I know that this would involve an exponentially larger amount of effort from the ports team, and I don't fault them for not doing it. Still, it would be nice to have. I have to agree on that statement. I would love to see branched ports. This can get very important on servers, were you don't want to have major upgrades, but only security updates. I guess it's a question of manpower, hm? Would a survey help? As in ask the ports team and FreeBSD administrators? Maybe some will start to become port maintainer too, just to support the increased work on ports due to branching them... I would :) best regards, Marian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) iD8DBQFEcYb+gAq87Uq5FMsRAvAeAKDY0wCnps8sNKkRqUL0+77/WEh/GgCfayuU /PH2TCKdBC7l9M6TrgY+rZM= =hbzY -END PGP SIGNATURE- ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD Security Survey
ports tree in the process, the end result is a bit more undefined. One thing that I wish for is that the ports tree would branch for releases, and that those branches would get security updates. I know that this would involve an exponentially larger amount of effort from the ports team, and I don't fault them for not doing it. Still, it would be nice to have. Yes, totally agree. That's the way OpenBSD ports tree works and it worked very well for me. Thus not to say FreeBSD's one didn't, but it takes a lot more attention, which isn't always a bad thing ;) OpenBSD doesn't have next to 15000 ports. In my opinion, this richness is one of the main assets of FreeBSD, and by necessity implies a great difficulty to maintain everything in a coherent and secure state. You have only to contemplate the years it took to release Debian Sarge to convince yourself. Personnally i am quite pleased with the present state of the FreeBSD ports, i think it is in a much better state than a couple of years before, and for my own use, security is a very secondary issue. People who have machines exposed on the internet usually have a small number of ports installed, and can maintain them in the latest secure version. I have around 600 ports installed on my 6.1 machine, which will certainly grow in time, and no intention whatsoever to run portupgrade on that. -- Michel TALON ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD Security Survey
Scott Long [EMAIL PROTECTED] writes: I share this frustration with you. I was once told that the pain in upgrading is due largely to a somewhat invisible difference between installing a pre-compiled package, and building+installing a port. In theory, if you stick to one method or the other, things will stay mostly consistent. But if you mix them, and particularly if you update the ports tree in the process, the end result is a bit more undefined. One thing that I wish for is that the ports tree would branch for releases, and that those branches would get security updates. I know that this would involve an exponentially larger amount of effort from the ports team, and I don't fault them for not doing it. Still, it would be nice to have. Speaking as a port maintainer, if these branches would allow to just MFC updates from HEAD that are proven and meet dependency requirements for the new version, I think I'd be able to handle this. The major ports for concern I maintain (db3* db4*) have forked minor versions for compatibility anyways. If it's a bugfix only policy that may involve ripping out the minimum fix out of a larger patch set, it'll pretty much be a non-starter for me unless someone funds that work. -- Matthias Andree ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD Security Survey
Le 22/05/2006 11:43, Michel Talon a ?crit: OpenBSD doesn't have next to 15000 ports. In my opinion, this richness is one of the main assets of FreeBSD, and by necessity implies a great difficulty to maintain everything in a coherent and secure state. You have only to contemplate the years it took to release Debian Sarge to convince yourself. Personnally i am quite pleased with the present state of the FreeBSD ports, i think it is in a much better state than a couple of years before, and for my own use, security is a very secondary issue. People who have machines exposed on the internet usually have a small number of ports installed, and can maintain them in the latest secure version. I have around 600 ports installed on my 6.1 machine, which will certainly grow in time, and no intention whatsoever to run portupgrade on that. I completely agree with Michel. The question that I think is missing from the survey is the usage you do of your freebsd installation. All production servers I have (50) use few ports and upgrades (security related or not) are always done by hand. On the other side, I nearly always use precompiled packages on my workstation to save compile time and dependencies headaches. -- Herve Boulouis ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD Security Survey
On Mon, 22 May 2006 11:40:16 +0200 Marian Hettwer [EMAIL PROTECTED] wrote: ports tree in the process, the end result is a bit more undefined. One thing that I wish for is that the ports tree would branch for releases, and that those branches would get security updates. I know that this would involve an exponentially larger amount of effort from the ports team, and I don't fault them for not doing it. Still, it would be nice to have. I have to agree on that statement. I would love to see branched ports. This can get very important on servers, were you don't want to have major upgrades, but only security updates. I guess it's a question of manpower, hm? With the maintainers/commiters/physical_resources we have now this is impossible. Take a look at pav@'s PR stats page: http://www.oook.cz/bsd/prstats/ There are ~1000 new ports PRs per month. The PT Team has managed to close about the same number per month (fewer during the freeze, of course). Currently there are 551 open PRs. 238 in feedback state, etc. Would a survey help? As in ask the ports team and FreeBSD administrators? Maybe some will start to become port maintainer too, just to support the increased work on ports due to branching them... I would :) There are ~4300 unmaintained ports. Maybe you could start maintaining some of them _now_ ? -- IOnut - Un^d^dregistered ;) FreeBSD user Intellectual Property is nowhere near as valuable as Intellect BOFH excuse #146: Communications satellite used by the military for star wars signature.asc Description: PGP signature
Re: FreeBSD Security Survey
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Ion, Ion-Mihai IOnut Tetcu wrote: I have to agree on that statement. I would love to see branched ports. This can get very important on servers, were you don't want to have major upgrades, but only security updates. I guess it's a question of manpower, hm? With the maintainers/commiters/physical_resources we have now this is impossible. That's what I guessed... Take a look at pav@'s PR stats page: http://www.oook.cz/bsd/prstats/ There are ~1000 new ports PRs per month. The PT Team has managed to close about the same number per month (fewer during the freeze, of course). Currently there are 551 open PRs. 238 in feedback state, etc. I see... Would a survey help? As in ask the ports team and FreeBSD administrators? Maybe some will start to become port maintainer too, just to support the increased work on ports due to branching them... I would :) There are ~4300 unmaintained ports. Maybe you could start maintaining some of them _now_ ? I'll have a look into my ports tree. Let me guess, ports which are have the maintainer [EMAIL PROTECTED] are unmaintained? regards, Marian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) iD8DBQFEcZXhgAq87Uq5FMsRAnqFAJ4t0fO+uQTk/XRDFvTcA9ZLKuy6PACguig5 qAKibfTgwhzrVojGkHPyvpk= =6eKY -END PGP SIGNATURE- ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD Security Survey
Brent Casavant wrote:
On Sun, 21 May 2006, Colin Percival wrote:
So, in short, that's why *I* rarely update ports for security reasons.
There are steps that could be taken at the port maintenance level that
would work well for my particular case, however that's beyond the
scope of the survey. Thanks for taking the time put the survey
together, I certainly hope it proves useful.
Perfectly put there Brent portupgrade is all very powerful but:
* Take an absolute age to do anything but the simplest updates
* Often fails and needs significant manual fixing
Here its usually 100 times quicker to just do:
pkg_info | awk '{print $1}' packages.txt
cat packages.txt | xargs pkg_delete -f
cat packages.txt | xargs pkg_add -r
This at least brings you up to a known good set. Alternatively I
also use something similar but build from ports the problem with
that is often the ports need to be built with custom options to get
back to how you started so unless you where very maticuls in
noting down the options to every port on every machine you
installed something often goes wrong :(
On good example of portupgrade going off on one is a simple
upgrade of mtr we dont install any X on our machines so mtr-nox11
is installed. Whenever I've tried portupgrade in the past its
always trolled of and started downloading and build the behemoth
that is X, CTRL+C hence always ensues and I forget about upgrading
until I really HAVE to.
Steve
This e.mail is private and confidential between Multiplay (UK) Ltd. and the person or entity to whom it is addressed. In the event of misdirection, the recipient is prohibited from using, copying, printing or otherwise disseminating it or any information contained in it.
In the event of misdirection, illegible or incomplete transmission please
telephone (023) 8024 3137
or return the E.mail to [EMAIL PROTECTED]
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD Security Survey
On Mon, 22 May 2006 12:43:47 +0200 Marian Hettwer [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Ion, Ion-Mihai IOnut Tetcu wrote: I have to agree on that statement. I would love to see branched ports. This can get very important on servers, were you don't want to have major upgrades, but only security updates. I guess it's a question of manpower, hm? With the maintainers/commiters/physical_resources we have now this is impossible. That's what I guessed... And it's not only HR lack problem, we would need more hardware for the package building cluster too. Take a look at pav@'s PR stats page: http://www.oook.cz/bsd/prstats/ There are ~1000 new ports PRs per month. The PT Team has managed to close about the same number per month (fewer during the freeze, of course). Currently there are 551 open PRs. 238 in feedback state, etc. I see... Would a survey help? As in ask the ports team and FreeBSD administrators? Maybe some will start to become port maintainer too, just to support the increased work on ports due to branching them... I would :) IMO this could work only with some funding from interested companies. Maybe that could be an idea for a survey. There are ~4300 unmaintained ports. Maybe you could start maintaining some of them _now_ ? I'll have a look into my ports tree. Let me guess, ports which are have the maintainer [EMAIL PROTECTED] are unmaintained? Yup. Just ' cd /usr/ports/ ; make search [EMAIL PROTECTED] ' -- IOnut - Un^d^dregistered ;) FreeBSD user Intellectual Property is nowhere near as valuable as Intellect BOFH excuse #324: Your packets were eaten by the terminator signature.asc Description: PGP signature
Re: FreeBSD Security Survey
On 05/22/06 05:40, Marian Hettwer wrote: Scott Long wrote: Brent Casavant wrote: While I find ports to be the single most useful feature of the FreeBSD experience, and can't thank contributors enough for the efforts, I on the other hand find updating my installed ports collection (for security reasons or otherwise) to be quite painful. I typically use portupgrade to perform this task. On several occasions I got bit by doing a portupgrade which wasn't able to completely upgrade all dependencies (particularly when X, GUI's, and desktops are in the mix -- though I always follow the special Gnome upgrade methods when appropriate). Like Scott pointed out below, stick with either building from source, or using packages. Mixing them may have strange side effects. To give an example. I usually use portupgrade without using packages. But last time I needed to update my ports (on a production server, though private not corporate server), I used portupgrade -P (to use packages if available). It updated php, using packages, but unluckily the packages were built against apache13. I'm using apache20, so my php installation was trashed. Argh. But even more painful is the fact that portupgrade _always_ fails on some perl modules. Usually p5-XML-Parser. I don't know why, but it's annoying... Dropping [EMAIL PROTECTED] Odd, I just did a 'portupgrade -fm -s p5-XML-Parser' and it worked fine. Note that I included the '-m -s' because it sometimes causes port build breakage for me (postfix comes to mind). Perhaps a 'portupgrade -Rf p5-XML-Parser' is in order? The only dependencies are perl and expat, so a recursive rebuild shouldn't take too long. My persistent port build breakages (that weren't caused by an error in the port) have always been resolved by rebuilding all dependencies or removing '-m -s'. -Jonathan -- Jonathan Noack | [EMAIL PROTECTED] | OpenPGP: 0x991D8195 signature.asc Description: OpenPGP digital signature
Re: FreeBSD Security Survey
On 05/22/06 06:45, Steven Hartland wrote:
Brent Casavant wrote:
On Sun, 21 May 2006, Colin Percival wrote:
So, in short, that's why *I* rarely update ports for security reasons.
There are steps that could be taken at the port maintenance level that
would work well for my particular case, however that's beyond the
scope of the survey. Thanks for taking the time put the survey
together, I certainly hope it proves useful.
Perfectly put there Brent portupgrade is all very powerful but:
* Take an absolute age to do anything but the simplest updates
* Often fails and needs significant manual fixing
Here its usually 100 times quicker to just do:
pkg_info | awk '{print $1}' packages.txt
cat packages.txt | xargs pkg_delete -f
cat packages.txt | xargs pkg_add -r
This at least brings you up to a known good set. Alternatively I
also use something similar but build from ports the problem with
that is often the ports need to be built with custom options to get
back to how you started so unless you where very maticuls in
noting down the options to every port on every machine you
installed something often goes wrong :(
Dropping [EMAIL PROTECTED]
The OPTIONS feature stores port preferences and helps a lot with this.
Not all ports are converted yet, but that's just a matter of time. My
only complaint is that when options are added I'm not prompted for my
preference (I just get the default value). I have to go back and
manually make config if I don't want the default. If automatic
prompting for new options is added then we will truly have a set it and
forget it configuration system. Because I track ports fairly closely
and usually catch new options, this hasn't annoyed me enough to fix it...
On good example of portupgrade going off on one is a simple
upgrade of mtr we dont install any X on our machines so mtr-nox11
is installed. Whenever I've tried portupgrade in the past its
always trolled of and started downloading and build the behemoth
that is X, CTRL+C hence always ensues and I forget about upgrading
until I really HAVE to.
You have to tell the ports system you don't want X (put the following in
/etc/make.conf):
WITHOUT_X11= yes
There are also ports (like bittorrent) that install GUIs by default.
You should also tell the ports system you don't want GUIs:
WITHOUT_GUI= yes
Some ports will still need the X libs (like graphviz), but that's not a
huge deal.
-Jonathan
--
Jonathan Noack | [EMAIL PROTECTED] | OpenPGP: 0x991D8195
signature.asc
Description: OpenPGP digital signature
Re: FreeBSD Security Survey
On May 22, 2006, at 9:12 AM, Jonathan Noack wrote:
On 05/22/06 06:45, Steven Hartland wrote:
Brent Casavant wrote:
On Sun, 21 May 2006, Colin Percival wrote:
So, in short, that's why *I* rarely update ports for security
reasons.
There are steps that could be taken at the port maintenance level
that
would work well for my particular case, however that's beyond the
scope of the survey. Thanks for taking the time put the survey
together, I certainly hope it proves useful.
Perfectly put there Brent portupgrade is all very powerful but:
* Take an absolute age to do anything but the simplest updates
* Often fails and needs significant manual fixing
Here its usually 100 times quicker to just do:
pkg_info | awk '{print $1}' packages.txt
cat packages.txt | xargs pkg_delete -f
cat packages.txt | xargs pkg_add -r
This at least brings you up to a known good set. Alternatively I
also use something similar but build from ports the problem with
that is often the ports need to be built with custom options to get
back to how you started so unless you where very maticuls in
noting down the options to every port on every machine you
installed something often goes wrong :(
Dropping [EMAIL PROTECTED]
The OPTIONS feature stores port preferences and helps a lot with this.
Not all ports are converted yet, but that's just a matter of time. My
only complaint is that when options are added I'm not prompted for my
preference (I just get the default value). I have to go back and
manually make config if I don't want the default. If automatic
prompting for new options is added then we will truly have a set
it and
forget it configuration system. Because I track ports fairly closely
and usually catch new options, this hasn't annoyed me enough to fix
it...
On good example of portupgrade going off on one is a simple
upgrade of mtr we dont install any X on our machines so mtr-nox11
is installed. Whenever I've tried portupgrade in the past its
always trolled of and started downloading and build the behemoth
that is X, CTRL+C hence always ensues and I forget about upgrading
until I really HAVE to.
You have to tell the ports system you don't want X (put the
following in
/etc/make.conf):
WITHOUT_X11= yes
There are also ports (like bittorrent) that install GUIs by default.
You should also tell the ports system you don't want GUIs:
WITHOUT_GUI= yes
Some ports will still need the X libs (like graphviz), but that's
not a
huge deal.
Just curious, where are WITHOUT_X11 and WITHOUT_GUI documented? I
don't see either in /usr/share/examples/etc/make.conf, nor in man
make.conf.
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD Security Survey
Paul Allen wrote: ... Some speculation: I've always thought portupgrade did the Wrong Thing(tm) by consulting the dependency graph in /var/db. Better to merely learn which packages were installed and then exclusively use the port information... Well, a.o. portmaster tries just to do that. Have a look at sysutils/portmaster as an alternative to sysutils/portupgrade. I think follow-ups should go to the freebsd-ports list. regards, Hans Lambermont ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Re: FreeBSD Security Survey
As an administrator, time is always an issue. FreeBSD has proven itself time and again. Having said that, one wish would be to have a default/built-in security update mechanism. Since time is always and issue, if the system could by default (without an admin having to write scripts and/or apps, or manually update) update itself for both system and installed ports/packages, it likely would reduce security issues exponentially. This of course would be a massive project/challenge. Varying system and kernel configurations alone would make this a huge challenge, not to mention the potential security implications. The survey is a great idea. I suggest adding a section for administrators to add comments and/or wishes. Sejo Brent Casavant wrote: On Sun, 21 May 20 06, Colin Percival wrote: In order to better understand which FreeBSD versions are in use, how people are (or aren´t) keeping them updated, and why it seems so many systems are not being updated, I have put together a short survey of 12 questions. I applaud this survey, however question 9 missed an important point, at least to me. I was torn between answering less than once a month and I never update. While I find ports to be the single most useful feature of the FreeBSD experience, and can´t thank contributors enough for the efforts, I on the other hand find updating my installed ports collection (for security reasons or otherwise) to be quite painful. I typically use portupgrade to perform this task. On several occasions I got bit by doing a portupgrade which wasn´t able to completely upgrade all dependencies (particularly when X, GUI´s, and desktops are in the mix -- though I always follow the special Gnome upgrade methods when appropriate). I can´t rule out some form of pilot error, but the end result was pain. After several instances of unsatisfactory portupgrades (mostly in the 5.2 through early 5.4 timeframe), I adopted the practice of either not upgrading ports at all for the life of a particular installation on a machine (typically about one year), or when necessary by removing *all* ports from the machine, cvsup´ing, and reinstalling. This has served me quite well, particularly considering the minimal threat profile these particularly systems face. So, in short, that´s why *I* rarely update ports for security reasons. There are steps that could be taken at the port maintenance level that would work well for my particular case, however that´s beyond the scope of the sur vey. Thanks for taking the time put the survey together, I certainly hope it proves useful. Thank you, Brent Casavant I share this frustration with you. I was once told that the pain in upgrading is due largely to a somewhat invisible difference between installing a pre-compiled package, and building+installing a port. In theory, if you stick to one method or the other, things will stay mostly consistent. But if you mix them, and particularly if you update the ports tree in the process, the end result is a bit more undefined. One thing that I wish for is that the ports tree would branch for releases, and that those branches would get security updates. I know that this would involve an exponentially larger amount of effort from the ports team, and I don´t fault them for not doing it. Still, it would be nice to have. Scott _ __ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD Security Survey
Charles Howse wrote: Just curious, where are WITHOUT_X11 and WITHOUT_GUI documented? I don't see either in /usr/share/examples/etc/make.conf, nor in man make.conf. Many options (not all) are described in /usr/ports/KNOBS (but withou WITH_/WITHOUT_ prefixes) Miroslav Lachman ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD Security Survey
On Mon, May 22, 2006 at 12:06:54AM -0400, Brandon S. Allbery KF8NH wrote: On May 21, 2006, at 11:55 , Colin Percival wrote: The Security Team has been concerned for some time by anecdotal reports concerning the number of FreeBSD systems which are not being promptly updated or are running FreeBSD releases which have passed their End of Life dates and are no longer supported. In order to better understand which FreeBSD versions are in use, how people are (or aren't) keeping them updated, and why it seems so many systems are not being updated, I I have a 6-STABLE box that is not going to be updated to 6.1 any time soon, because my personal mail will have to be offline while I do so --- including nuking and rebuilding all ports because the ports tree has been thrashed by multiple low level updates that affect a large percentage of the tree --- and it's only a 600MHz box so it will be offline for most of a week during that upgrade. And I'm uncertain how downgrading it to 6.0-RELEASE+security patches will complicate things (downgrading via cvsup/buildworld is not a supported option, last I checked). Granted, I probably should have stuck with 6.0-R --- but then, experience has shown me that the more reliable option is to wait a week or two after release and then install -STABLE. In short: keeping FreeBSD up to date tends to be painful at best. I'd have to agree, though it's much better than some systems, it's still something I'd like to see some improvement on. For example, I understand the reasons for how Free BSD does things, I do. However, one thing I'd love to see is a much better tool for handling updates and upgrades. I may get reamed for what I'm about to say, but I'm willing to deal with whatever happens with this: I'd like to see Free BSD include an approach to updates in the way Slackware Linux does... Now before I get 10,000 emails saying I'm stupid or something to that effect let me explain: I've been using supporting and telling about Free BSD for many years. When I got my first computer, I had installed Free BSD not long after and that was coming from Windows 95 / 98 SE. One thing that always made me mad was when a new security flaw came out. On my Slackware machines, it was no problem at all, I'd use wget to grab the patch .tgz file, then do this: upgradepkg *.tgz I'd go get coffee or somethign and come back to all patches being installed. I know about portupgrade, and it's a good start, but I think there would be huge benifit from a tool that allows you to download a tgz file and doing the above to install patches. A lot of Linux only users I know would use Free BSD if the patching system was something more Slackware like. And I don't consider it a rip off to make a system like that because well, Slackware is a supporter of BSD. The Slackware Essentials book I bought has BSD on the back of it and BSD is also listed as a supporter of Slackware, so I see no Moral problem with creating something for Free BSD that would allow this. From what I've seen in portupgrade, you have to use a key... Which is nice and all, but it defeats the purpose when I've personally seens omeone say Ugh you have to do all this just to set up portupgrade? and you have to recompile the Kernel for that Telnet update... Explanations as to why don't work. I just personally feel there would be a lot more boxes getting patches installed if you could do it like Slackware, or Linux in general, and allow for patches that you just install with one command. RedHat and some other distros use RPM, and they have their own update tools, but if you wanted you could just download the RPMs and do rpm -U to update. Slackware I've shown already. It's a good system. From what I've understood, Free BSD doesn't usually do binarys I could be wrong here as I'm no positive... But I really think it would be for the best if there was something added to Free BSD where you could juts install patches the way you do Linux. I mean you wouldn't have to remove the other system that is in use now, and as I saiud portupgrade is a good start, however for the people I talk to it doesn't seem to be enough. I'd love to see somethign like this added into Free BSD where for the people who like the updates the way they are now could keep using that way, and for the new comers and people who aren't used to it, they could use the other way. Like Is aid Linux has two ways, you can use an update tool like Redhat's up2date, or you can download the RPMs yourself. Slackware has Swaret, slackpkg, and slapt-get, or you can simply download the patches which are already .tgz files, and use upgradepkg to install them. I think the benifits would be great and more people would use it if they knew when a new security problem came out in Free BSD all they had to do was download a patch and type upgradepkg, or type patch and it installed like this. And then a front end could be done where
Re: FreeBSD Security Survey
From Doug Hardie [EMAIL PROTECTED], Sun, May 21, 2006 at 11:48:51PM -0700: Failover sounds good in theory but has significant issues in practice that make it sometimes worse than the alternative. Take mail spools. If you failover, mail the user saw before has disappeared. Then when you fail back it reappears and newer messages disappear. This is hardly unnoticable. My users do not find that at all acceptable. Putting the mail spools on a different machine just moves that problem to the different machine. Trying to keep multiple spools consistent has problems also. I have watched raid system lose It's a hard problem that's why you buy a box to do it: http://www.emc-rainwall.com Rainfinity (recently bought by EMC) has patents on actual peer-reviewed data-replication algorithms. Paul ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD Security Survey
And it's not only HR lack problem, we would need more hardware for the package building cluster too. A lot of us run 24/7 netted servers with spare cycles, wouldn't be averse to allocating the idle loop to package building for freebsd.org, but 3 problems: - package building at prsent gets done on that trusted cluster, - needs root for lots of buils, which many of us dont want to give out (sandboxes / chroot maybe ? ) - freebsd.org would need to know none of our client servers had `slipped it a mickey', which would best be protected against by anonymisining I guess, so we didnt even know what we were compiling. - It'd need some mechanised automation, like SETI A nice project for some Summer Of Code student this summer ? -- Julian Stacey. Consultant Unix Net Sys. Eng., Munich. http://berklix.com Mail in Ascii, HTML=spam. Ihr Rauch = mein allergischer Kopfschmerz. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD Security Survey
On Mon, 2006-May-22 15:20:11 -, FreeBSD User wrote: Since time is always and issue, if the system could by default (without an admin having to write scripts and/or apps, or manually update) update itself for both system and installed ports/packages, it likely would reduce security issues exponentially. I think it would substantially reduce the reliability and security. Firstly, automatically installing arbitrary fixes on a production system is almost always a bad idea. The release engineering and security teams do regression testing but can't test exactly your system configuration and there's a non-trivial likelihood that installing patch X will break something that your configuration relies on. This can be mitigated by using a test system and rolling out the updates from it, but that negates the whole point. It's also likely to inconvenience users. Our ITS department take it upon themselves to automatically roll out (wintel) desktop updates. This almost always results in your desktop machine insisting that it needs to be rebooted immediately when you are in the middle of doing something crucial - thus breaking your concentration and potentially losing data (my manager managed to lose 3 man-hours work once). I, for one, would hate it if my FreeBSD boxes started doing the same. Specific FreeBSD versions aren't maintained forever. An install it and forget it philosophy will increase the number of machines that aren't being patched because they are running unmaintained versions of FreeBSD. With the current approach, the sysadmin is aware that particular machines need to be updated to a newer version. If everyting is automatic, the sysadmin will probably forget. Finally, it only takes one security failure in the update process for someone undesirable to own all the FreeBSD machines that have been left in this default mode. Despite the best efforts of FreeBSD developers, FreeBSD will always contain bugs and some of them will be security holes. Any automatic update process needs to balance the benefits of reducing the number of unpatched boxes against the risks of the update system being subverted. -- Peter Jeremy ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Re: FreeBSD Security Survey
Should something like automatic security updates not be a goal? If
done correctly, and on a per-stable/version basis, it is possible to
increase security exponentially. The responsible administrator will
naturally keep ontop of all changes and fixes. But just like in the
wintel and other *nix worlds, not every administrator updates their
servers. Ok, maybe only a few FreeBSD administrators don´t update...
What I am trying to suggest is a mechanism that incorporates all
security fixes and specified (or installed) ports/packages for a given
server, within a per-stable/version basis. Tools that exist already
accomplish this, and run by a custom script via cron. There still
would likely be a strong need for an administrator to buildworld,
especially for those of us who prefer configuring custom kernels and
bulilding (mostly) by source.
It is naturally a wish that could potentially save a busy
administrator some time. As I said, this of course would be a massive
project/challenge. Varying system and kernel configurations alone
would make this a huge challenge, not to mention the potential
security implications.
Granted, many FreeBSD versions will not be maintained for long periods
of time. But are there no out dated versions running now?
Is something like this not worth looking at for the future?
Sejo
Original Message
From:Peter Jeremy
Sent: Tue 23 May 2006 05:23:50 1000
To: FreeBSD User
Subject: Re: FreeBSD Security Survey
On Mon, 2006-May-22 15:20:11 -, FreeBSD User wrote:
Since time is always and issue, if the system could by default
(without an admin having to write scripts and/or apps, or manually
update) update
itself for both system and installed ports/packages, it
likely would reduce security issues exponentially.
I think it would substantially reduce the reliability and security.
Firstly, automatically installing arbitrary fixes on a production
system is almost always a bad idea. The release engineering and
security teams do regression testing but can´t test exactly your
system configuration and there´s a non-trivial likelihood that
installing patch X will break something that your configuration relies
on. This can be mitigated by using a test system and rolling out the
updates from it, but that negates the whole point.
It´s also likely to inconvenience users. Our ITS department take it
upon themselves to automatically roll out (wintel) desktop updates.
This almost always results in your desktop machine insisting that it
needs to be rebooted immediately when you are in the middle of doing
something crucial - thus breaking your concentration and potentially
losing data (my manager managed to lose 3 man-hours work once). I,
for one, would hate it if my FreeBSD boxes started doing the same.
Specific FreeBSD versions aren´t maintained forever. An install it
and forget it philosophy will increase the number of machines that
aren´t being patched because they are running unmaintained versions
of FreeBSD. With the current approach, the sysadmin is aware that
particular machines need to be updated to a newer version. If
everyting is automatic, the sysadmin will probably forget.
Finally, it only takes one security failure in the update process for
someone undesirable to own all the FreeBSD machines that have been
left in this default mode. Despite the best efforts of FreeBSD
developers, FreeBSD will always contain bugs and some of them will
be security holes. Any automatic upda
te process needs to balance
the benefits of reducing the number of unpatched boxes against the
risks of the update system being subverted.
--
Peter Jeremy
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD Security Survey
On May 22, 2006, at 11:49, Allen wrote: On my Slackware machines, it was no problem at all, I'd use wget to grab the patch .tgz file, then do this: upgradepkg *.tgz I believe there was some talk in the past of treating the base system like a package. NetBSD has some code that does this called syspkg, but it isn't really working AFAICT. The planned work on updating the installer was part of this (and Tim Kientzle's work on libarchive as well). FreeBSD Update would be something in a similar vein. Is it safe to assume that this is still somewhat desired, but that one of the stumbling blocks is time / resources? Regards, David ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD Security Survey
On May 21, 2006, at 11:55 , Colin Percival wrote: The Security Team has been concerned for some time by anecdotal reports concerning the number of FreeBSD systems which are not being promptly updated or are running FreeBSD releases which have passed their End of Life dates and are no longer supported. In order to better understand which FreeBSD versions are in use, how people are (or aren't) keeping them updated, and why it seems so many systems are not being updated, I I have a 6-STABLE box that is not going to be updated to 6.1 any time soon, because my personal mail will have to be offline while I do so --- including nuking and rebuilding all ports because the ports tree has been thrashed by multiple low level updates that affect a large percentage of the tree --- and it's only a 600MHz box so it will be offline for most of a week during that upgrade. And I'm uncertain how downgrading it to 6.0-RELEASE+security patches will complicate things (downgrading via cvsup/buildworld is not a supported option, last I checked). Granted, I probably should have stuck with 6.0-R --- but then, experience has shown me that the more reliable option is to wait a week or two after release and then install -STABLE. In short: keeping FreeBSD up to date tends to be painful at best. -- brandon s. allbery [linux,solaris,freebsd,perl] [EMAIL PROTECTED] system administrator [openafs,heimdal,too many hats] [EMAIL PROTECTED] electrical and computer engineering, carnegie mellon university KF8NH ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD Security Survey
On May 21, 2006, at 20:55, Colin Percival wrote: If you administrate system(s) running FreeBSD (in the broad sense of are responsible for keeping system(s) secure and up to date), please visit http://people.freebsd.org/~cperciva/survey.html and complete the survey below before May 31st, 2006. What doesn't fit into the survey very well is that all my servers are production ones and it causes a lot of grief for users when I bring them down. I try to hold updates to once per year because of that. I am currently in the middle of upgrading from 5.3 to 6.0. The easy machines are done but there are still a few that will take considerable on-site time which is not easy to come by. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD Security Survey
On Sun, 21 May 2006, Colin Percival wrote: In order to better understand which FreeBSD versions are in use, how people are (or aren't) keeping them updated, and why it seems so many systems are not being updated, I have put together a short survey of 12 questions. I applaud this survey, however question 9 missed an important point, at least to me. I was torn between answering less than once a month and I never update. While I find ports to be the single most useful feature of the FreeBSD experience, and can't thank contributors enough for the efforts, I on the other hand find updating my installed ports collection (for security reasons or otherwise) to be quite painful. I typically use portupgrade to perform this task. On several occasions I got bit by doing a portupgrade which wasn't able to completely upgrade all dependencies (particularly when X, GUI's, and desktops are in the mix -- though I always follow the special Gnome upgrade methods when appropriate). I can't rule out some form of pilot error, but the end result was pain. After several instances of unsatisfactory portupgrades (mostly in the 5.2 through early 5.4 timeframe), I adopted the practice of either not upgrading ports at all for the life of a particular installation on a machine (typically about one year), or when necessary by removing *all* ports from the machine, cvsup'ing, and reinstalling. This has served me quite well, particularly considering the minimal threat profile these particularly systems face. So, in short, that's why *I* rarely update ports for security reasons. There are steps that could be taken at the port maintenance level that would work well for my particular case, however that's beyond the scope of the survey. Thanks for taking the time put the survey together, I certainly hope it proves useful. Thank you, Brent Casavant ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD Security Survey
Doug Hardie wrote: On May 21, 2006, at 20:55, Colin Percival wrote: If you administrate system(s) running FreeBSD (in the broad sense of are responsible for keeping system(s) secure and up to date), please visit http://people.freebsd.org/~cperciva/survey.html and complete the survey below before May 31st, 2006. What doesn't fit into the survey very well is that all my servers are production ones and it causes a lot of grief for users when I bring them down. I try to hold updates to once per year because of that. I am currently in the middle of upgrading from 5.3 to 6.0. The easy machines are done but there are still a few that will take considerable on-site time which is not easy to come by. A good failover strategy comes into play here. If you have one, then taking a single production machine off-line for a short period should be no big deal, even routine, and should not even be noticed by users if done correctly. This should be planned for and part of the network/system design. Yes, it definitely requires more resources to support, but I'll rephrase the same problem: what happens when (and I mean *when* and not *if*) a motherboard or network card fries or you suffer a hard disk crash (even 2+ drives failing at the same time on a raid array is not particularly unusual considering that drives are quite often from the same manufactured batch)? Lack of a failover on mission critical systems that *can't* be offline is like playing russian roulette. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD Security Survey
Brent Casavant wrote: On Sun, 21 May 2006, Colin Percival wrote: In order to better understand which FreeBSD versions are in use, how people are (or aren't) keeping them updated, and why it seems so many systems are not being updated, I have put together a short survey of 12 questions. I applaud this survey, however question 9 missed an important point, at least to me. I was torn between answering less than once a month and I never update. While I find ports to be the single most useful feature of the FreeBSD experience, and can't thank contributors enough for the efforts, I on the other hand find updating my installed ports collection (for security reasons or otherwise) to be quite painful. I typically use portupgrade to perform this task. On several occasions I got bit by doing a portupgrade which wasn't able to completely upgrade all dependencies (particularly when X, GUI's, and desktops are in the mix -- though I always follow the special Gnome upgrade methods when appropriate). I can't rule out some form of pilot error, but the end result was pain. After several instances of unsatisfactory portupgrades (mostly in the 5.2 through early 5.4 timeframe), I adopted the practice of either not upgrading ports at all for the life of a particular installation on a machine (typically about one year), or when necessary by removing *all* ports from the machine, cvsup'ing, and reinstalling. This has served me quite well, particularly considering the minimal threat profile these particularly systems face. So, in short, that's why *I* rarely update ports for security reasons. There are steps that could be taken at the port maintenance level that would work well for my particular case, however that's beyond the scope of the survey. Thanks for taking the time put the survey together, I certainly hope it proves useful. Thank you, Brent Casavant I share this frustration with you. I was once told that the pain in upgrading is due largely to a somewhat invisible difference between installing a pre-compiled package, and building+installing a port. In theory, if you stick to one method or the other, things will stay mostly consistent. But if you mix them, and particularly if you update the ports tree in the process, the end result is a bit more undefined. One thing that I wish for is that the ports tree would branch for releases, and that those branches would get security updates. I know that this would involve an exponentially larger amount of effort from the ports team, and I don't fault them for not doing it. Still, it would be nice to have. Scott ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
