back to article FreeBSD devs ponder changes to security processes

The developers of FreeBSD have announced they'll change the way they go about their business, after users queried why known vulnerabilities weren't being communicated to users. This story starts with an anonymous GitHub post detailing some vulnerabilities in the OS, specifically in freebsd-update, libarchive, bspatch and …

  1. Charlie Clark Silver badge

    What's the problem?

    Does the author have an issue with the way the FreeBSD is addressing this? Not commenting on security problems for which there is no patch is common procedure for all vendors.

    This particular situation — where a proof of concept for the attack has been released but for which a suitable patch is not yet available — is certainly uncomfortable. But, let's see who and what is affected:

    To be exposed, a user would need to be under an active Man-In-The-Middle attack when fetching patches.

    In other words: a compromised update process is probably the least of the worries!

    Rushing out an untested patch could, as Microsoft and others can testify, cause more problems than it solves: the proverbial swallowing a spider to catch the fly. Security has often as much to do with procedure as it does with code and the advisory provides detailed information for admins on how to mitigate the threat until a patch can be made available. This isn't perfect but is good practice.

    Perhaps the most surprising thing is why signed packages aren't already a requirement of the process. But I'm not familiar with the details. The update toolchain is obviously a vulnerability for any system, as once it has been compromised the whole system is effectively compromised. But hardening the toolchain is easier said than done: you have the repositories, transport and code to worry about.

    1. Rainer

      Re: What's the problem?

      FreeBSD updates for the base system don't come as packages.

      They come in as a number of individual files, each one comes with it's own checksum file.

      FreeBSD 11.1 will change that and the base system will be packaged, too.

      (Things didn't work out for 11.0).

  2. Anonymous Coward
    Anonymous Coward

    Fortunately we have alternatives...

    freebsd-update is used to update the base system, though in 'binary' format. The other alternative is to check out the source code using Subversion and then compiling that yourself. I'll admit it's more tedious than letting freebsd-update handle things, but its still a way to work around using it.

    Portnsnap is another example. A very easy way to keep your ports collection (usual location being /usr/ports) up to date. But once again you can also use Subversion.

  3. Dinsdale247


    There have been grumblings about the security in the binary update and the age of the freebsd-update system since I started playing with FreeBSD 4 years ago. As has been stated, use svn and build from sources if you think there is an issue.

    I think @Rainer is talking about using the pkgng system for binary updates to the base packages (as well as the user packages). I didn't hear why it won't be in 11.0 though?

    1. Rainer

      Re: Grumblings

      It was planned for 11.0, but people realized there were a few loose ends.

      And FreeBSD generally doesn't like loose ends ;-)

      As such, it will apparently mature over the 11-series.

      I always sort of liked the way it is: base just a tar-ball, the rest packages, especially after pkg-ng started to arrive.

      But doing freebsd-update on a lot of servers really takes the joy out of it a bit ;-)

  4. Anonymous Coward
    Anonymous Coward

    s/FreeBSB/FreeBSD/ please.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like