Re: CDs with patched Apache?

From: Brett Glass (brett@lariat.org)
Date: 06/18/02


Date: Tue, 18 Jun 2002 03:49:28 -0600
To: kgasso@blort.org
From: Brett Glass <brett@lariat.org>

At 12:31 AM 6/18/2002, Kameron Gasso wrote:

>Wasn't the fact that -RELEASE branches don't get updated with new packages already discussed extensively in the not-so-distant past?

Some folks yelled at me for pointing it out, but alas there was no
real discussion of how to solve the problem.

>Although it wouldn't be very glamorous (and I certainly wouldn't reccommend it), the port installed with the latest -RELEASE could be "broken" so it wouldn't download and install without someone forcing it. Still, this wouldn't really encourage them to upgrade their ports tree - it'd more than likely just cause much swearing and force people to work around the problem.

It'd still be a warning. Hmmm.... Maybe the warning could be made part
of pkg_add, and/or something that pkg_add executed. It would simply say,
"proceed at your own risk!"

But if you were installing from CD, you wouldn't be warned. Unless....
Unless pkg_add phoned home to check on the package. Which is possible
if the machine can be connected to the Net.

>Long story short, no OS can keep an inexperienced admin from opening it up to security vulnerabilities...
>
>This is just another case of bad timing. Not a lot that can be done. Shouldn't we just follow the same precedence set from prior security issues which were installable from the base system (BIND, OpenSSH, etc.)?

I'd still like to come up with something better.

But right now, I have a very practical reason for asking for a "clean" CD
set. What I'm looking for is a CD set that I can hand out for evangelistic
purposes -- something that a new user can use to set up a trouble-free
Web server. Obviously, if it has a vulnerable version of Apache (it'll
probably be targeted by a worm within a week), it won't be trouble-free!
Ditto if the ATAPI CD-ROM problem isn't fixed. (Matt's right; this is
important.)

One thing about open source -- as Murray Stokely has pointed out -- is that
it's OK to miss a ship date to get things working right. If I were a CD
manufacturer, I'd strongly consider waiting until I could ship discs with
the two problems mentioned above fixed. The purpose of my query was simply
to find out if one of the vendors was (a) holding off on shipping; or (b)
planning to revise its CD set once the problems were fixed. (I could imagine
doing a smaller run in anticipation of this.) Such a vendor would get
bragging rights; it would be able to say it had a less buggy and more
secure snapshot. So, I'm hoping that one will.

--Brett

P.S. -- Like your domain name. After Don Martin, I assume?

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message