“The Security Team has been concerned for some time by anecdotal reports concerning the number of FreeBSD systems which are not being promptly updated or are running FreeBSD releases which have passed their End of Life dates and are no longer supported. In order to better understand which FreeBSD versions are in use, how people are (or aren’t) keeping them updated, and why it seems so many systems are not being updated, I have put together a short survey of 12 questions. The information gathered will inform the work done by the Security Team, as well as my own personal work on FreeBSD this summer.”


The process of keeping FreeBSD updated is too manual. In today’s environment, system administration has been phased out in favor of network administration. The idea of spending countless hours on a single machine, optimizing every single aspect of it, spending countless hours auditing every file, has gone the way of million dollar computers. In today’s networked world, the network is now the system, and most people spend the majority of their time optimizing the entire system and keeping the entire system up to date. FreeBSD needs some kind of centralized update manager that can monitor and update hundreds of machines with a few commands. Just look to RHEL or Microsoft for direction.
This a troll right?
The BSD’s, not just FreeBSD, has the most elegant way of keeping both the system and applications up to date.
RHEL = dependancy nightmares
Mickeysoft = a disaster anyway you look at it. Updates often break more than they fix. I wouldn’t care to use Mickeysoft as a model for doing anything correctly.
Have you ever used any of the BSD’s? It’s a rhetorical question for sure, because if you had, you wouldn’t be making such nonsensical statements.
I haven’t had a “dependency nightmare” for a long, long time on any of the “big name” distros (RedHat or Fedora, Suse, Mandriva, etc.). The ports system is great and all, but as long as you aren’t trying to install some incredibly arcane piece of software that isn’t in a proper repository you really don’t have problems (given that wasn’t always true in the past).
“The ports system is great and all, but as long as you aren’t trying to install some incredibly arcane piece of software”
True, but this is often the case with any platform. Regardless of the system, if you decide to install somethng from “scratch,” it can be a pain – BSD or Linux aside, no?
This has nothing to do with system maint. or updating. My comment is that the BSD’s have a very good way of updating system binaries and applications.
I used to be a FreeBSD guy. One reason I quit was because of update problems.
I had issues such as: I tried to upgrade a remote server from 4.x to 5.x, and that left the system in an unusable state. I had to drive to the hosting facility to fix it.
I found that doing a portupgrade to the latest version of Perl (even a point revision) required massive recompiling of practically everything, since Perl is one of the most-referenced port dependencies. Not every port remembers its compilation options (newer ones handle this better), leaving my system a mess.
The PHP port is a mess. I appreciate the attempt to break it into modules so that you can install/upgrade only what you need, but it had a long way to go. More than once I found that particular combinations of PHP modules would make Apache unstable. I have not had that problem on Ubuntu.
If I use FreeBSD again, I will try to use the pre-compiled kernel (instead of build my own) and pkg_add -vr {whatever} instead of compiling my own ports.
I wouldn’t care to use Mickeysoft as a model for doing anything correctly.
MS did actually do two things correctly; made $50 billion dollars for bill gates and adopted a desktop dominaince with a so called by many a incorretly OS.
Edited 2006-05-23 02:09
And managed to break a few laws in the process and turn a blind eye to fair business practices….
Responsibility extends much further than to your shareholders. So while you cheer for Bill Gates and Microsoft making money, spare a moment to think about the long term implications of a monopoly on the industry and disregarding the law.
spare a moment to think about the long term implications of a monopoly on the industry and disregarding the law.
There is no impliaction of a monopoly of any kind. it’s that there has not been any other company in the industry that is more innovative then MS to revolutionize the industry like they have. MS helped apple when apple was on life support, their is even a ms office for apple’s mac os x. that show they are willing to help the competition. enron and ccmpanies like enron are the ones that disregarded the law and they are no longer in business. ms is still in business so no law was disregarded.
Off to a good start already, or off topic.
I’m using FreeBSD at home and on remote servers. I have upgraded it many times. Once you know how it works, it is quite easy to do a quick upgrade, even if you can’t reboot into single mode because it is remote.
There are a few problems though:
I have recently upgraded a 5.3 server to 6.1. I had to first upgrade it to 5.4 because 6.1 wouldn’t compile under 5.3.
Version 4.* seems to be almost impossible to upgrade to 5.* or 6.* without physical access to the server. (I’m stuck with a 4.* server and I’m sure I’m not the only one)
When you are using virtual servers, jails, the upgrade process can be quite time consuming.
***
So far FreeBSD seems to be one of the best servers systems while also quite good on the desktop. It is an excellent compromise of power, security, stability and ease of use.
Edited 2006-05-22 19:48
FreeBSD’s security update system is archaic. You just can’t tell your machine to update itself like you can on 90% of Linux distros. That’d be too easy, wouldn’t it?
The current system works. That’s a fact I can’t deny. But is it the best? No. Is it even decent? Maybe.
My solution would be to add support for binary patches provided by the security team. This works on most Linux distros and 90% faster and easier than re-compiling your kernel on a production machine.
FreeBSD’s security update system is archaic. You just can’t tell your machine to update itself like you can on 90% of Linux distros. That’d be too easy, wouldn’t it?
I think you meant Linux distros that are used by 90% of community, because you know that the number of linux distros almost surpasses the number of its users.
FreeBSD also lets you do binary updates with “freebsd-update” http://www.daemonology.net/freebsd-update
recompiling the kernel on a production machine is no problem at all. The servers keeps running while the upgrade is done. It has only to be rebooted once that shouldn’t take more than 30 seconds. The core system is quite stable and kernel upgrades don’t have to be done very often.
The main drawback of the FreeBSD upgrading process, is upgrading the ports. I don’t know a ways to tell it to update only security issues, like what i do with Debian. You have to basically upgrade them all to the latest release and that can take a while. But this isn’t a really big problem since the server keeps running during the upgrade.
Use portaudit to check for security issues and just upgrade the ones with problems.
All of my systems email me a daily security report that tells me what has a security problem. I believe that is actually part of the default install.
It’s a fairly simple process to go upgrade with portupgrade. I automate it on my home network via cron. I still do it manually on the servers as I’m opposed to automating software installation on servers.
sure, almost every OS has upgrade mechanisms, and often there are more than one.
the problem is that, theoretical or aesthetic beauty aside, experience has shown that the rpm/apt method of upgrading packages or even kernels has proven to be much more successful than anything offered by the *BSD family.
the point here is not that no mechanism is provided, but that through experience, portupgrade and the like have failed too often.
“the problem is that, theoretical or aesthetic beauty aside, experience has shown that the rpm/apt method of upgrading packages or even kernels has proven to be much more successful than anything offered by the *BSD family.”
Abolute nonsense…this is nothing more than your opinion. Don’t assume your opinion to be fact. You have zero, ability to make that claim.
I’m not sure the high number of people staying on EOL releases have to do with the upgrade procedure. Even though it is a bit more involved than most Linux distributions, it pretty much comes down to pasting the standard commands from the handbook into a shell. I haven’t had a single anomaly occur during an upgrade for years.
I suspect that a considerable number of people stay with old releases, especially the later 4.x releases, because of stability reasons. We have had serious trouble from FreeBSD 5.1 to 5.4 on SMP machines during heavy load (e.g. webserver with 1500 httpd processes). Admittedly we have gotten some really good help from kernel developers when discussing our problems on the relevant mailinglists, but we were not able to solve the locking problems. So, we made the deliberate choice to keep some high load servers running on 4.11.
Had you actually bothered to spend all of 30 seconds searching on google, you would see there is a binary upgrade solution called freebsd update. You people need to stop talking out of your ass as if you know what your talking about…
People like to do “uptime” contests.
It seems a joke, but in my humble opinion, it has really to be taken into consideration!
When I see FreeBSD has the best uptime, it means only one thing: those systems were not updated. And people are happy to have systems with such uptimes!
There is a sort of legend that a FreeBSD server can survive anything: you have to install it once, and then it runs forever.
It would be such a beautiful idea; however, security and updates should be the first priority.
“People like to do “uptime” contests. ”
Sort of ture actually 🙂 Joke aside. A properly configured server don’t need to apply _ALL_ update.
They should only have limited number of opened services to the internet, as defined by their roles. As long as they keep their internet facing services up-to-date and tight, other bug/vulnerability within the os can not be exploited anyway.
e.g. why you need to update kernel when only service open is apache, and apache is locked-down and up-to-date?
From what I experienced over the years of using both GNU/Linux (various distro’s) and *BSD’s I have come to realize that in the *BSD world things honestly couldn’t be easier to maintain.
FreeBSD is my choice of the *BSD’s and it took me awhile to fully understand the system, as I came from GNU/Linux first. I started out with Slackware and eventually found my way to Debian, Gentoo and other distro’s with very simple package management systems. During my stay with Gentoo I decided to check out what the original ports system was like and how it compared, though I was very surprised by what else I found during my stay with FreeBSD.
The seperation of a BASE system, and the PORTS (software) system was a dream come true. I found that usually when it came to security FreeBSD had it right the first time through by default, not like many of the GNU/Linux Distro’s I have used in the past. For instance the whole “fork-bomb” article that hit the net not to long ago stating that most GNU/Linux systems weren’t safe against one of these attacks by default, the *BSD’s were. It’s these little things that are taken for granted and I simply can’t understand why someone can stat that GNU/Linux is as secure as it is, when something so old like a fork-bomb was still able to take down a system… Things have changed though, Gentoo,Fedora and some others have put some sensable defaults in place, but unfortunately it was a little too late for my taste and I jumped ship.
Ok, enough rambling. The point is that FreeBSD does require some manual work to get a system up and running, but only at first. I wrote scripts with cron jobs in place to take care of most things. I apply to the right mailing lists to be informed of security issues and I update only where needed. Btw, you only really need one system to be updated, and you can use the binaries (if you updated properly) on every other FreeBSD box you have, and get the same results. Most important serious server companies believe in having a development at hand to test the updates first anyway, so once you built and tested, just do a binary update on the other boxes. Simple as pie. Mmmm pie.
Excuse the rambling, but there is nothing hard about BSD, its just different but it pays off in the long run and is much more consistant. To me this makes up for any of the so called manual labour it takes to update the systems.
P.S. you should be watching every box as it updates anyway… even Debian messes up from time to time…
This reply is partially a reply to your post and partially to someone else’s post. In my initial post, I stated that it is too difficult to keep FreeBSD up to date. Others disagreed but seeing how the whole article is about people not keeping their FreeBSD installations update to date, it makes their disagrement mute.
As I said earlier, the problem with FreeBSD update mechanism is that it takes a legacy viewpoint of what consists of a system and what doesn’t. People jumped in and started comparing FreeBSD ports/packages to Yum/Apt etc. without taking a moment to think about what I posted. In fact, their argument merely pointed that they also have a legacy viewpoint of the system. Yum/Apt are only part of the solution but they just merely ease the installation of patches on single machines. When I said look at RedHat and Microsoft for a proper solution, what I was actually referring to was Microsoft SMS and RHN.
Before anyone replies to this post, I want to ask a simple question and I want them to think about it for a second. You have 1,000 FreeBSD servers doing all sorts of stuff. How can you check what has been installed and what has not been installed, what has been updated and what has not been updated?
> “How can you check what has been installed and what has not been installed, what has been updated and what has not been updated?”
$ portversion -vl\<
For me that was the easy part. The problem was actually applying the updates.
Edited 2006-05-23 20:06
So your solution is to ssh into 1000 machines and run portversion? Good luck. Why don’t you let computers do what they are good at and let them report to you? And rather than scanning the version information, why don’t you let them tell you that they are out of date?
Edited 2006-05-23 20:13
> So your solution is to ssh into 1000 machines and run portversion? Good luck. Why don’t you let computers do what they are good at and let them report to you? And rather than scanning the version information, why don’t you let them tell you that they are out of date?
Huh? I don’t get the hostility. Of course that’s what I do. The computers run portversion, diff it daily and notify me if anything important shows up.
What sucks is the actual update process, but your question was how a FreeBSD sysadmin can check what has been installed/updated and not installed/not updated. That part is actually good.