Re: Patch/Announcement for DHCPD remote root hole?

From: Scott Lambert (lambert@lambertfam.org)
Date: 05/16/02


Date: Thu, 16 May 2002 00:59:10 -0400
From: Scott Lambert <lambert@lambertfam.org>
To: security@FreeBSD.ORG

On Wed, May 15, 2002 at 01:35:35PM -0600, Brett Glass wrote:
>
> Also, as I mentioned in an earlier message, there is absolutely no
> reason to supply buggy, dangerously insecure versions of packages
> by default. All we're doing is hurting users.

Sure there is. When you install release, you know you are getting
a certain level of code. It makes support more consistent.
 
> No, but you can make it easy to update. In fact, there's good reason
> for /stand/sysinstall to take users out onto the Net and help them
> secure the system.
>
> Antivirus programs, which are also sold in CD form, do this. The vendor
> knows that the day after the CD is pressed (maybe even BEFORE the CD
> is pressed; it takes time to make a master), there's a new update. So,
> the first thing the program does is try to update itself via the Net.

You are right, but it's not sysinstalls job to do this. This is
portupgrade's job.

Until we get binary patch kits, we just can't do the same thing for
the OS. I am assuming that someone has taken the trouble of diff'ing
the install images between patch levels to see how many files, and
what that translates to in megabytes, would be required for a tarball
that just unpacks over all changed files. I am also assuming that it is
prohibitively large since it is a simple, brute force method.

My iBook came with OS X 10.1.1. I had to download 40 MB of patches to
get to 10.1.2. Reboot. Download 5 MB of patches to get to 10.1.3.
Reboot. Download 2.5MB of patches to get to 10.1.4. That's not counting
the updates to the included software.

The last time I installed Solaris, it was a similar process except that
the patch sets always got larger due to their cumulative nature. You can
hunt down the individual patches but the sysadmins you are talking about
couldn't be bothered with that.

OS/2 was the same way.
 
> There's almost no reason -- ever! -- to do an FTP install of -RELEASE
> rather than -RELEASE-pN if patches exist. The FreeBSD Web site should
> steer those who are interested in installing via FTP to the latest
> patched release by default. Only if they *specifically ask for* the
> unpatched release should they get it. Otherwise, again, we are doing
> them a disservice and tarnishing FreeBSD's reputation.

Supply the hardware. Fund the development. Get your newbie sysadmins
to fund it. They are the ones who need these features, let them pay
for it. It sounds great. But, it is going to take several hours of
somebody's "quality time with the kids" to code it up. That's why
it probably won't happen without funding. If you get started on the
process now, it might be ready for 5.0. Maybe.

Rather than ranting on the lists, your time might be better spent fund-
raising so that the issues you want resolved can get the attention you
think they should get.

Installation and maintenance are hard for commercial vendors to get
right.

-- 
Scott Lambert                    KC5MLE                       Unix SysAdmin
lambert@lambertfam.org       http://www.lambertfam.org/~lambert/resume.html
3 years Sr. SysAdmin experience with FreeBSD in small & medium size ISPs.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message


Relevant Pages

  • Re: [SLE] Update 9.0 from 9.1 DVD?
    ... > But the reason I am writing here is I would like to add the following to ... > During the install, when it came to test the connection to my ISP I ... in this time the following patches ... The modem was almost useless and I had to abort YOU (which you ...
    (SuSE)
  • Re: MicroMonopoly aids Terrorism?
    ... You do not get much simpler than it is to install. ... For proof the patch is simple to install look at all the ... >> automated installation patches. ... Although it is not mentioned in the article, one reason I kept ...
    (microsoft.public.security)
  • RE: Unsigned Windows 2000 Patches
    ... certify that the certificate was still valid. ... the reason a signature was flagged. ... Subject: Unsigned Windows 2000 Patches ... on your system to "not install unsigned drivers"? ...
    (Security-Basics)
  • RE: Unsigned Windows 2000 Patches
    ... certify that the certificate was still valid. ... the reason a signature was flagged. ... Subject: Unsigned Windows 2000 Patches ... on your system to "not install unsigned drivers"? ...
    (Focus-Microsoft)
  • Re: Patch cluster 10_x86_Recommended fails at 119255-77 (thir one on list)
    ... The patch set will complete installation in this session. ... Application of patches finished: 2010.11.28 17:54:45 ... Aborting due to failure while applying patch 119255-77. ... Install log files written: ...
    (comp.unix.solaris)