Re: FreeBSD Security Survey

On Monday 22 May 2006 01:44, Scott Long wrote:
Brent Casavant wrote:
On Sun, 21 May 2006, Colin Percival wrote:
In order to better understand
which FreeBSD versions are in use, how people are (or aren't)
keeping them updated, and why it seems so many systems are not
being updated, I have put together a short survey of 12
questions.

I applaud this survey, however question 9 missed an important
point, at least to me. I was torn between answering "less than
once a month" and "I never update".

While I find ports to be the single most useful feature of the
FreeBSD experience, and can't thank contributors enough for the
efforts, I on the other hand find updating my installed ports
collection (for security reasons or otherwise) to be quite
painful. I typically use portupgrade to perform this task. On
several occasions I got "bit" by doing a portupgrade which wasn't
able to completely upgrade all dependencies (particularly when X,
GUI's, and desktops are in the mix -- though I always follow the
special Gnome upgrade methods when appropriate).

I can't rule out some form of pilot error, but the end result was
pain.

After several instances of unsatisfactory portupgrades (mostly in
the 5.2 through early 5.4 timeframe), I adopted the practice of
either not upgrading ports at all for the life of a particular
installation on a machine (typically about one year), or when
necessary by removing *all* ports from the machine, cvsup'ing,
and reinstalling. This has served me quite well, particularly
considering the minimal threat profile these particularly systems
face.

So, in short, that's why *I* rarely update ports for security
reasons.

There are steps that could be taken at the port maintenance level
that would work well for my particular case, however that's
beyond the scope of the survey. Thanks for taking the time put
the survey together, I certainly hope it proves useful.

Thank you,
Brent Casavant

I share this frustration with you. I was once told that the pain
in upgrading is due largely to a somewhat invisible difference
between installing a pre-compiled package, and building+installing
a port. In theory, if you stick to one method or the other, things
will stay mostly consistent. But if you mix them, and particularly
if you update the ports tree in the process, the end result is a
bit more undefined. One thing that I wish for is that the ports
tree would branch for releases, and that those branches would get
security updates. I know that this would involve an exponentially
larger amount of effort from the ports team, and I don't fault them
for not doing it. Still, it would be nice to have.
More ports seem to be separating out their different version into
portname20, portname, portname21, etc. This takes out quite a bit of
the updating woes without causing too much overhead for the
maintainers. Since maintaining a security branch for releases would
require too much overhead it might be nice to have mechanism to track
the "release version" of the installed software.
eg.
For 6.0 release I installed lang/lua which is lua-5.0
Then when I cvsup next time the maintainer has created a lang/lua50
port for the old version and lang/lua is now version 5.1. It would
be nice to have a mapping that I can say "Stay with version 5.0.x"
and when I do a portupgrade it will see that lua-5.0 is installed so
use lang/lua50 instead of lang/lua.
As a port maintainer, I could probably live with that extra mapping.

Though currently I try to keep a few jails configured on my desktop
that match customer's configurations and perform updates in the jail
first. Just to see it there will be any hiccups before actually
performing the updates on a customer's system. I only have 3 basic
configurations that I use so it's not that big of a deal for me.

My biggest grip about updating the base system is the mergemaster
step, but once mergemaster -U is cut into a release it should fix
that annoyance.

--
Anish Mistry

Attachment: pgp8geqrCLq0A.pgp
Description: PGP signature

Relevant Pages

  • Re: FreeBSD Security Survey
    ... While I find ports to be the single most useful feature of the ... installation on a machine, ... port for the old version and lang/lua is now version 5.1. ... As a port maintainer, I could probably live with that extra mapping. ...
    (freebsd-stable)
  • Re: Installing FreeBSD 6.0 on IBM BladeCenter HS20 - IT WORKS!
    ... protocols) of keyboard are you using for the installation? ... pci0: <PCI bus> on pcib0 ... 2 ports with 2 removable, ... 200.000MB/s transfers, Tagged Queueing Enabled ...
    (freebsd-stable)
  • Re: sysinstall nigthmare
    ... Only if you're looking for job security. ... Ease of installation means something quite different for the big farm ... admin who has to care for a thousand machines than for the home user who ... long will the script be if you want to have many different ports? ...
    (comp.unix.bsd.freebsd.misc)
  • Re: ports
    ... through about 10 hours of techie consults with Canon and Dell... ... No problem showing on system menus re: USB ports. ... We have the installation CD that Gateway ...
    (microsoft.public.windowsxp.print_fax)
  • Re: Where do I find the PERL compatible functions for php
    ... Once I knew where to find it in the ports, I was able to fix the problem. ... languages, so they aren't under ports/lang, and not all of them are ... "make search" in /usr/ports 34 times to find all the modules you want for your PHP installation. ...
    (freebsd-questions)