SoylentNews is people
SoylentNews
Arthur T Knackerbracket has found the following story:
The developers of FreeBSD have announced they'll change the way they go about their business, after users queried why known vulnerabilities weren't being communicated to users.
This story starts with an anonymous GitHub post detailing some vulnerabilities in the OS, specifically in freebsd-update, libarchive, bspatch and portsnap. Some of the problems in that post were verified and the FreeBSD devs started working on repairs.
But over on the FreeBSD security list, threads like this started asking why users weren't being told much about the bugs or remediation efforts. That's a fair question because updating FreeBSD could in some circumstances actually expose users to the problem.
Now the FreeBSD team has answered those questions by saying “As a general rule, the FreeBSD Security Officer does not announce vulnerabilities for which there is no released patch.”
The operating system's developers and security team are now “reviewing this policy for cases where a proof-of-concept or working exploit is already public.”
That post also explains that the team is considering more detailed security advisories. There's also an admission that the proposed patch may have broken other things in the OS.
The post concludes by saying that the FreeBSB core and security teams are working with all due haste to fix things and will let those subscribed to its mailing lists know when patches are ready and the danger is past.
[The majority of SoylentNews.org's servers run Ubuntu 14.04 LTS (Long Term Stable version). Upgrading to version 16.04 LTS would expose our systems to systemd and there has been some discussion among staff about our options. One option under consideration would be FreeBSD. Are there any Soylentils who run FreeBSD? What has your experience been? Any surprises to share with the community? --martyb]
(Score: 1, Insightful) by Anonymous Coward on Friday August 12 2016, @01:52PM
I cut my teeth in Linux, and was pretty diehard. I found my way to FreeBSD with a new gig, and haven't looked back in 6+ years. I now manage an exclusively FreeBSD shop. There is certainly a learning-curve, but it's not so bad, largely thanks to coherent documentation. I've tip-toed back into Linux recently for some personal projects, and the experience (as a Systems Admin) has been less-than-complimentary. IMHO, modern [Linux] distributions are great, as long as you don't stray from the golden path blessed by the maintainers. FreeBSD stays out of the way (figuratively), letting you focus on getting real work done.
Rather than gush about how great FreeBSD is (and it really is), here some of the cons...
- Packaging: Pkg is volatile, and ports are great if you like watching code compile. We maintain our own pkg infrastructure. Linux (Debian in particular) wins hands-down.
- Community size: Relative to Linux, it's a small community. This makes for less in-fighting, but fewer man-hours for security/bug/feature updates.
- Third-party support: Linux is a bigger audience, so it gets more attention from devs working on other projects. We maintain patch repositories for a number of FOSS projects we utilize.
- Feature set: FreeBSD is excellent at it's core competencies, but it's a shorter list than you may be used to as a Linux user (e.g. "What do you mean there aren't 6 dozen filesystems supported?!")
(Score: 2) by coolgopher on Friday August 12 2016, @03:19PM
I came from the other direction - I started on FreeBSD 2.2.5 and eventually ended up on Linux. My last FreeBSD box was in the 10.x days. Actually, the only reason I'm not still running FreeBSD on my main system is that I use Linux at work, and it makes it easier for me to work from home with a Linux install here too. Oh, and Raspberry Pi. The Linux support is far better on the Pi so far.
I do miss the ports system. Prebuilt packages are convenient, but being able to customise stuff easily to reduce dependencies was very nice. Yes, I know about Gentoo, I've run it, and no, I like the FreeBSD ports much better.
In short, a thumbs up for FreeBSD, especially for servers.
(Score: 3, Interesting) by rleigh on Friday August 12 2016, @06:10PM
All very true. I'm increasingly using FreeBSD but still very much in the Linux world as well.
With respect to the large number of filesystems which Linux supports, it's nice if you need them but in practice most people will use one or two at most. On FreeBSD I'm finding UFS perfectly adequate for VMs and ZFS perfectly fine for servers and workstations, and NFSv4 for networking. In practice, I'm happy with just those three. Likewise on Linux ext4 or zfs plus NFS/CIFS and I'm equally happy (swap ext4 with xfs to taste).
pkg is definitely a bit more volatile, but it's nice that there's now the more stable quarterly updates if you don't want to run your own builds and infrastructure. When the base system is also upgradeable with pkg, that will make jails vastly simpler to upgrade (as well as the base system).
From the security point of view, I do think that Linux distributions have a more effective model at the moment. FreeBSD requires more diligence, and upgrading all your base systems, jails, and all the pkg/ports packages on top of that is currently more work, and more importantly often more delayed. As mentioned above, I think having everything upgradeable via pkg will be a massive improvement. It's all doable right now, but this will make it sufficiently simple that anyone can do a pkg update/upgrade and be confident their system is up to date.