Stories
Slash Boxes
Comments

SoylentNews is people

posted by cmn32480 on Friday August 12 2016, @11:16AM   Printer-friendly
from the all-it-takes-is-time-and-money dept.

Arthur T Knackerbracket has found the following story:

The developers of FreeBSD have announced they'll change the way they go about their business, after users queried why known vulnerabilities weren't being communicated to users.

This story starts with an anonymous GitHub post detailing some vulnerabilities in the OS, specifically in freebsd-update, libarchive, bspatch and portsnap. Some of the problems in that post were verified and the FreeBSD devs started working on repairs.

But over on the FreeBSD security list, threads like this started asking why users weren't being told much about the bugs or remediation efforts. That's a fair question because updating FreeBSD could in some circumstances actually expose users to the problem.

Now the FreeBSD team has answered those questions by saying “As a general rule, the FreeBSD Security Officer does not announce vulnerabilities for which there is no released patch.”

The operating system's developers and security team are now “reviewing this policy for cases where a proof-of-concept or working exploit is already public.”

That post also explains that the team is considering more detailed security advisories. There's also an admission that the proposed patch may have broken other things in the OS.

The post concludes by saying that the FreeBSB core and security teams are working with all due haste to fix things and will let those subscribed to its mailing lists know when patches are ready and the danger is past.

[The majority of SoylentNews.org's servers run Ubuntu 14.04 LTS (Long Term Stable version). Upgrading to version 16.04 LTS would expose our systems to systemd and there has been some discussion among staff about our options. One option under consideration would be FreeBSD. Are there any Soylentils who run FreeBSD? What has your experience been? Any surprises to share with the community? --martyb]


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1, Interesting) by Anonymous Coward on Friday August 12 2016, @07:02PM

    by Anonymous Coward on Friday August 12 2016, @07:02PM (#387127)

    I've been a UNIX systems administrator for over thirty years.

    I started out administering VAX 11/750s running BSD 4.2 and BSD 4.3, directly from Berkeley. I also supported machines running Mt Xinu's port of BSD.

    At one time I was working with engineers evaluating the Sun 1 - if I recall correctly, it was based on the 68000 or maybe the 68010, the same chipset used by Apple for the original black-and-white Macintosh. This was before Sun had a graphic user interface, or even a mouse.

    I remember the big effort to port BSD to the 386 - 386BSD, they called it - and how that morphed into FreeBSD, and NetBSD, and OpenBSD.

    At about the same time, a guy named Linus posted his open source kernel. It was a curiosity, but everyone who knew anything about UNIX was knee-deep in the BSD open source movement.

    Since then, Linux has matured - but it still demands all of the attention, and pretends that it alone is the open source movement. Those of us who watched it born know better and tend to ignore it like the spoiled child it is. Its inability to play nicely with other UNIXes is legendary.

    Nowadays I use FreeBSD on my laptop.

    If I ever get a year to work on it without disturbance, I'd like to get into OpenBSD, and leave FreeBSD behind.

    Oh, sure, I still use Linux. Two children have laptops with two different versions of Vector Linux installed, and another child uses a Raspberry Pi, with Raspbian 8 installed - based on Debian, if I recall correctly.

    Ultimately the operating system is just a board in your infrastructural platform for the application - and it should be treated as modular, just like any other element of any other infrastructure.

    It's important not to get too attached.

    So, yes, I'd recommend abandoning Linux, for production purposes.

    ~childo

    Starting Score:    0  points
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  

    Total Score:   1