Shellshock - pkg upgrade bash

hashime said:
mveety said:
hashime said:
It's an argument for properly maintaining the FreeBSD's binary repositories.
Click to expand...
They are.
Click to expand...
No. Unless security does not matter for you at all.

Still no Bash update. Not even by now.
Click to expand...
Look, they're updated weekly. If you *NEED* the most bleeding edge code or some security update that isn't built yet then go with ports. We don't do things like the linux people. If you want to use BSD you need to get used to that fact. Binary packages are a luxury, you're not entitled to them.
 
@SirDice, you are right about the cgi scripts. Unfortunately, I have seen many control panel vendors doing exactly these things. In all matter, there was a big fuss about this bug, mainly caused by "experts" in the media.

Regarding the package delays. IMHO when we have a good package manager, like we finally do, we tend to become more lazy.... We also some times forget that this is a process that requires a lot of computing power and bandwidth. Since FreeBSD is really free and relies solely upon donations, there is no room for complains. New sysadmins need to get familiar with the ports system.
 
AzaShog said:
mveety said:
Binary packages are a luxury, you're not entitled to them.
Click to expand...

Wow, reading this in 2014 is... just.... wow!
Click to expand...
What is “wow” is realising that people using a free OS developed by volunteers feel entitled to *something*. It’s better for me to stop here.
 
mveety said:
Look, they're updated weekly. If you *NEED* the most bleeding edge code or some security update that isn't built yet then go with ports. We don't do things like the linux people. If you want to use BSD you need to get used to that fact. Binary packages are a luxury, you're not entitled to them.
Click to expand...

We are going in circles here.
If you mean with "we don't do things like the Linux people do" caring about security, well...
As stated earlier, if you provide binary packages without security updates in a timely manner someone should put a label on them "do not use on a internet connected machine, we don't care about security" The FreeBSD Handbook says nothing of the sorts, in the Handbook its a viable option, in the 10.0 Release notes it even says: pkg(7) is now the default package management utility.
*cough* default *cough*
When you look at the Handbook, installing binary packages comes before installing from ports. Anyhow, this is going in circles right back to the beginning of the thread.
Also there is no need to get all defensive and borderline aggressive about it, this is a big problem and it should be addressed.

There are 2 options here
a) discourage the use of binary packages or tell people that using FreeBSD's binary package system is highly insecure. Its 48h+ after the exploit hit and no security fix yet, that's clearly not OK. It is was Microsoft does.
b) Building once a week is fine, but in cases of sever remote exploits rebuild the package in question ASAP.

@gkontos
So are many Linux distributions, yet they have managed to distribute a proper bash binary within hours on every platform. Its fine if the binary package system is treated as a bastard child, but that needs to be communicated in the documentation.

Do it right, or don't do it at all. Doing it half leads to frustrated user and insecure FreeBSD boxes and i think no one likes that, that is something we can all agree on i hope?
 
Shellshock is a good name for this thread. I think over the time there are a lot of vulnerabilities (and some of them are more dangerous). And how many people really cares about? A well-known program like bash is a media-event. I still think it takes a blink of an eyes to compile it in the ports or make a own package. I ever think FreeBSD-users are more flexible.
 
Juanitou said:
What is “wow” is realising that people using a free OS developed by volunteers feel entitled to *something*. It’s better for me to stop here.
Click to expand...

No, no, I do agree that people are not entitled to anything here, or any other project developed by unpaid volunteers. I was just wowing the attitude (not yours but in general reading something like that) about having binary packages. That they're a luxury. It just goes to show how relevant and important FreeBSD is in 2014. I'll stop now too. :beergrin
 
hashime said:
Do it right, or don't do it at all. Doing it half leads to frustrated user and insecure FreeBSD boxes and i think no one likes that, that is something we can all agree on i hope?
Click to expand...
Sorry, but I cannot agree: bash is not part of the FreeBSD OS. If it were, as recent history shows, you would have got a binary update through freebsd-update within hours. If a FreeBSD box is compromised today by third-party software, only the person managing it is to be blamed, waiting for somebody else to provide an updated binary package instead of using the port, which has been updated almost always by some unpaid volunteer. Sure, quickly providing security updates for packages of third-party software would be nice, but with the limited resources of the FreeBSD environment it seems not possible right now. Let’s donate some money, time or knowledge to try to improve this.

Sincerely, I think the problem lies in that you are approaching a non-issue wrongly and, sure enough, this can only lead to bad conclusions and frustration.
 
Hmmm

Hmmm... (The following is an informed (I hope) suggestion, not a criticism which is how it might read otherwise)

FRI all ports built. pull pkg, pkg-devel out. Do they segfault? Put them back in.
FRI pull chromium out. Does it segfault? Put it back in.
FRI Make repo avail publicly
TUE bash vulnerability. Pull it out. Rebuild. Put it back in

...
...

...As something into the mix, to add, which could be helpful.
 
Here's some hard stats for people who still try make this such a big issue. The amount of ports that require shells/bash at run time is a whopping 157 out of the total 24000+ ports that are in the tree. Build time dependencies are not an issue because the build environment is going to be quite clean and will not inherit anything from user's environment to the point where bash gets actually run.

Very few of the run time dependents are among the most popular FreeBSD ports as far as I can see. The full list can be found at http://www.freshports.org/shells/bash/, scroll down to the "This port is required by" and "for Run".

To people who are going to say that they absolutely need to use shells/bash you have my sympathy.
 
Everybody knows here that I have shifted most of may servers to CentOS. (At least the old crew).

Regarding, shellshock bug though. I must admit that the most professional approach to the problem came from the FreeBSD community.
 
Is the Bash binary package tested before it is deposited to the Package servers, or are customers expected to do their own testing before rolling it out to all of our servers?

I see the post Ports Tree Now Fully Staged which talks a bit about a testing framework, but I can't find more customer-facing information about this testing framework.

Thanks,

-= Stefan
 
There are 2 options here
a) discourage the use of binary packages or tell people that using FreeBSD's binary package system is highly insecure. Its 48h+ after the exploit hit and no security fix yet, that's clearly not OK. It is was Microsoft does.
b) Building once a week is fine, but in cases of sever remote exploits rebuild the package in question ASAP.
Click to expand...

Arguably, the third option is that the authoritative documentation, like the FreeBSD Handbook, should set proper expectations for the business customers. Be clear about the once-per-week schedule, be clear that this same schedule applies to critical vulnerabilities and that customers should be expected to build from source or compile their own packages using something like poudriere. "If you use FreeBSD in the enterprise for more then a few systems, we strongly encourage that you set up your own binary package server using poudriere." or something similar.

Keep in mind folks, Shellshock isn't simply a media event, it was also a management edict. Every security authority out there, like CERT & the DHS, said "PATCH BASH. NOW." and most organizations have a contractual obligation with their customers which says "We will address all security issues and provide timely updates to our systems. Exceptions will be rare."

Just about every sysadmin on the planet was required to batch Bash as soon as possible. We don't have the luxury to say "You know what? CERT is wrong when they have this a 10/10 rating. I think it's not that critical." Sysadmins worked late nights, long days and on the weekend to get this patched. Usually, we can't just uninstall bash because our tools and customers might depend on it.
 
alexus said:
I'm using FreeBSD-9.1-p5.

pkg upgrade bash:
Click to expand...

That command is incorrect. The correct command is pkg install bash

pkg upgrade is used to upgrade all installed packages, not single packages.
 
pkg upgrade is used to upgrade all installed packages, not single packages.
Click to expand...

Are you sure? The man page says it can be used to update 'specific' packages? At least that's how I read their meaning of 'pkg-name' and 'specific packages'.

pkg upgrade [--{force,no-install-scripts,dry-run,fetch-only}]
[--{quiet,no-repo-update,yes}] [--repository reponame]
[--{case-sensitive,glob,case-insensitive,regex}]
[<pkg-origin|pkg-name|pkg-name-version> ...]

DESCRIPTION
pkg upgrade is used for upgrading packaged software distributions.

pkg upgrade compares the versions of all or specific packages installed
on the system to what is available in the configured package reposito-
ries.
Click to expand...

In addition, `pkg upgrade bash` seems to work just fine, and `pkg upgrade someotherpackage` installed that package, and a dependencies or two.
 
phoenix said:
That command is incorrect. The correct command is pkg install bash

pkg upgrade is used to upgrade all installed packages, not single packages.
Click to expand...

Actually it's a new feature with 1.3.x. Before you would have had to do a pkg install bash which would have only upgraded bash and is a bit counter-intuitive.
 
Not worth Bash, is vulnerabilitie, in days past security experts were saying to the press the danger of using Bash.
 
@@junovitch thank you. I hadn't realized that one can now use pkg upgrade on a specific package.
 
Last edited by a moderator:
junovitch said:
phoenix said:
That command is incorrect. The correct command is pkg install bash

pkg upgrade is used to upgrade all installed packages, not single packages.
Click to expand...

Actually it's a new feature with 1.3.x. Before you would have had to do a pkg install bash which would have only upgraded bash and is a bit counter-intuitive.
Click to expand...

Ah, good to know. I was reading a 1.2.x man page. Only just upgraded to 1.3.x today.
 
Some additional questions:

- Is hardware shortage the only factor?
- Could this donation be in the form of providing the infrastructure in our own network, in stead of providing a donation in the form of money to the FreeBSD organisation?

And in this case (bash of course), with such a serious bug, and the fact that bash as very few dependencies, why not provide an update for bash itself in a shorter term than one a week, in stead of building the complete ports-tree (assuming that that's the case).
 
You must log in or register to reply here.
Back
Top