Indeed. Doing the upgrade dance over several versions is no pain at all when compared to wiping the system completely and reinstalling followed by pulling user data from backups and in the meantime apologizing to every user for the downtime.
I'm running 6.4 on 3 systems (and 8-STABLE on about two dozen other systems). Two of the 6.4 systems are running extremely modified versions of RANCID, MRTG, and NAGIOS (among other things) and I've been making a half-hearted attempt to get some of my mods accepted by the upstream maintainers. Some of them will never accept the changes as they're specific to the way my company generates an all-in-one customer dashboard. So there's a fair amount of stuff which will probably need to be rewritten (or at least new-from-scratch patches created). Another example is the IPMI-over-PPP that these older boxes use. There doesn't seem to be a way to get that to work, given the change away from Kernel PPP and a bunch of changes to the uart / sio / puc driver set. The 3rd 6.4 box is dedicated to a customer who is planning on merging whatever he's doing on that box to a new 8-STABLE box.throAU said:Q: why are you still running 6.x or 7.x? Sooner or later you're going to get owned due to the lack of support for a release so old.
I'd be perfecly willing to take responsibility for keeping the kernel and base patched, but what has really set me back quite a bit with ports is the intentional breakage* of the new ports build structure. While I could keep most of my 6.4 ports up-to-date that way, the new ports build structure just throws a lot of errors and quits. I could even understand ports that were tweaked for options-ng not being buildable on old boxes, but I can't even build a port that was already installed before the Great Ports Breakage and which hasn't had its port Makefile and so on changed.Rather than waiting for that to happen you should be doing your best to migrate to a supported release ASAP.
Terry_Kennedy said:I'm running 6.4 on 3 systems (and 8-STABLE on about two dozen other systems). Two of the 6.4 systems are running extremely modified versions of RANCID, MRTG, and NAGIOS (among other things) and I've been making a half-hearted attempt to get some of my mods accepted by the upstream maintainers.
As I mentioned, I have some two dozen boxes running 8-STABLE, which get cvsup'd (and any updated ports built) at least weekly, and which get new kernels monthly.throAU said:Oh I get it, keeping updated is painful. I don't like having to upgrade either. I don't think any of us like having to mess with production boxes that are doing their job.
Your company needs to decide whether or not the massively customized environment you have is worth the support cost, and if so, allocate enough resources (staff) for it.
My big issue here is that ports were intentionally broken and not fixed for 6.x. If you look at the commits from that time period, you'll see that there were a bunch of commit comments about "fix compatibility breakage with old infrastructure" and so on. Unfortunately, as those commits went in, the level of breakage increased.However, your choices are:
- backport security updates to 6.x yourself
- ...
ImageMagick-nox11-6.7.5.10 Image processing tools
OpenSSH-askpass-1.2.4.1 Graphical password applet for entering SSH passphrase
alpine-2.00_3 Mail and news client descended from Pine
apr-devrandom-gdbm-db42-1.4.5.1.3.12_1 Apache Portability Library
arc-5.21p Create & extract files from DOS .ARC files
arj-3.10.22_4 Open-source ARJ
aspell-without-dicten-0.60.6.1_1 Spelling checker with better suggestion logic \than ispell
autoconf-2.13.000227_6 Automatically configure source code on many Un*x platfor\ms
autoconf-2.68 Automatically configure source code on many Un*x platforms
autoconf-wrapper-20101119 Wrapper script for GNU autoconf
automake-1.4.6_6 GNU Standards-compliant Makefile generator (1.4)
automake-wrapper-20101119 Wrapper script for GNU automake
bash-4.2.24_1 The GNU Project's Bourne Again SHell
bison-2.5,1 A parser generator from FSF, (mostly) compatible with Yacc
bitstream-vera-1.10_5 Bitstream Vera TrueType font collection
bsdpan-Mail-SpamAssassin-CompiledRegexps-body_0-1.0 Mail::SpamAssassin::Compile\
dRegexps::body_0 - Efficient str
ca_root_nss-3.13.4 The root certificate bundle from the Mozilla Project
cclient-2007f,1 Mark Crispin's C-client mail access routines
cdialog-1.1.20111020,1 An enhanced version of 'dialog' to work with ncurses
clamav-0.97.4 Command line virus scanner written entirely in C
compat4x-i386-5.3_9 A convenience package to install the compat4x libraries
compat5x-i386-5.4.0.8.1_1 A convenience package to install the compat5x librari\
es
compositeproto-0.4.2 Composite extension headers
cs-aspell-20040614.1_1,1 Aspell Czech dictionary
curl-7.24.0 Non-interactive tool to get files from FTP, GOPHER, HTTP(S)
cvsup-without-gui-16.1h_4 File distribution system optimized for CVS (non-GUI v\
ersion
cy-aspell-0.50.3_1,1 Aspell Welsh dictionary
cyrus-sasl-2.1.25_2 RFC 2222 SASL (Simple Authentication and Security Layer)
cyrus-sasl-saslauthd-2.1.25 SASL authentication server for cyrus-sasl2
da-aspell-1.4.42.1_1,2 Aspell Danish dictionary
damageproto-1.2.1 Damage extension headers
darts-0.32 A C++ template library that implements Double-Array
db4-4.0.14_1,1 The Berkeley DB package, revision 4
-=--:----F1 lista.txt Top L1 (Text)-----------------------------------
For information about GNU Emacs and the GNU system, type C-h C-a.
File Edit Options Buffers Tools Help
ImageMagick-nox11-6.7.5.10 Image processing tools
OpenSSH-askpass-1.2.4.1 Graphical password applet for entering SSH passphrase
alpine-2.00_3 Mail and news client descended from Pine
apr-devrandom-gdbm-db42-1.4.5.1.3.12_1 Apache Portability Library
arc-5.21p Create & extract files from DOS .ARC files
arj-3.10.22_4 Open-source ARJ
aspell-without-dicten-0.60.6.1_1 Spelling checker with better suggestion logic than ispell
autoconf-2.13.000227_6 Automatically configure source code on many Un*x platforms
autoconf-2.68 Automatically configure source code on many Un*x platforms
autoconf-wrapper-20101119 Wrapper script for GNU autoconf
automake-1.4.6_6 GNU Standards-compliant Makefile generator (1.4)
automake-wrapper-20101119 Wrapper script for GNU automake
bash-4.2.24_1 The GNU Project's Bourne Again SHell
bison-2.5,1 A parser generator from FSF, (mostly) compatible with Yacc
bitstream-vera-1.10_5 Bitstream Vera TrueType font collection
bsdpan-Mail-SpamAssassin-CompiledRegexps-body_0-1.0 Mail::SpamAssassin::CompiledRegexps::body_0 - Efficient str
ca_root_nss-3.13.4 The root certificate bundle from the Mozilla Project
cclient-2007f,1 Mark Crispin's C-client mail access routines
cdialog-1.1.20111020,1 An enhanced version of 'dialog' to work with ncurses
clamav-0.97.4 Command line virus scanner written entirely in C
compat4x-i386-5.3_9 A convenience package to install the compat4x libraries
compat5x-i386-5.4.0.8.1_1 A convenience package to install the compat5x libraries
compositeproto-0.4.2 Composite extension headers
cs-aspell-20040614.1_1,1 Aspell Czech dictionary
curl-7.24.0 Non-interactive tool to get files from FTP, GOPHER, HTTP(S)
cvsup-without-gui-16.1h_4 File distribution system optimized for CVS (non-GUI version
cy-aspell-0.50.3_1,1 Aspell Welsh dictionary
cyrus-sasl-2.1.25_2 RFC 2222 SASL (Simple Authentication and Security Layer)
cyrus-sasl-saslauthd-2.1.25 SASL authentication server for cyrus-sasl2
da-aspell-1.4.42.1_1,2 Aspell Danish dictionary
damageproto-1.2.1 Damage extension headers
darts-0.32 A C++ template library that implements Double-Array
db4-4.0.14_1,1 The Berkeley DB package, revision 4
db41-4.1.25_4 The Berkeley DB package, revision 4.1
db42-4.2.52_5 The Berkeley DB package, revision 4.2
dirmngr-1.1.0_8 A client for managing and downloading certificate revocatio
dmxproto-2.3.1 DMX extension headers
dovecot-1.2.17 Secure and compact IMAP and POP3 servers
e2fsprogs-libuuid-1.42.2 UUID library from e2fsprogs package
el-aspell-0.50.3_1,1 Aspell Greek dictionary
emacs-nox11-23.4_8,2 GNU editing macros
en-aspell-7.1.0 Aspell English dictionaries
encodings-1.0.4,1 X.Org Encoding fonts
es-aspell-1.11.2,1 Aspell Spanish dictionary
This version has been End-of-Life since November 2010 and contains quite a number of security vulnerabilities.Never said:I have 6.4 FreeBSD release
m6tt said:If you have Linux boxes out there, you may want to check on them...seems like bad news.
Couldn't agree more. Unfortunately there are a lot of people out there that think OS A is better than OS B and they don't need to secure their stuff. Because they are in the mistaken belief there's something magical called unix that will prevent any and all infections or hacks.throAU said:If you have ANY boxes (regardless of operating system) "out there", you need to be keeping them up to date. Be it Linux, FreeBSD, Windows, etc.
m6tt said:I do wonder.
I recently started hearing about an attack with a similar MO affecting Linux machines:
http://www.webhostingtalk.com/showthread.php?t=1235797&page=38
http://www.reddit.com/r/netsec/comments/18ro3c/sshd_rootkit/
I immediately thought of the variety of machines affected and mentioned in this thread.
If you have Linux boxes out there, you may want to check on them...seems like bad news.
SirDice said:Couldn't agree more. Unfortunately there are a lot of people out there that think OS A is better than OS B and they don't need to secure their stuff. Because they are in the mistaken belief there's something magical called unix that will prevent any and all infections or hacks.
Terry_Kennedy said:The big problem is the customized stuff on the three 6.x boxes. Like many businesses, we have some old code. Would it be good to re-write it from scratch? Probably. Does that make any sort of business sense at all? No.
throAU said:Exactly, unfortunately.
Sure, you can reduce your exposure somewhat by going for a less popular or more cut down OS, due to the number of vulnerabilities found - but if a vulnerability is found, you need to fix it or mitigate it, regardless of OS.
Terry_Kennedy said: