> On 23 Jun 2017, at 01:19, Michelle Sullivan <miche...@sorbs.net> wrote: > > Peter, > > Peter Jeremy wrote: >> >> paying someone to provide whatever level of support you want. With >> respect to your 9.x servers, no-one is saying you must replace the >> hardware, just that the FreeBSD Project will not continue to provide >> you with free support whilst you choose to run 9.x on them. Note that >> > You mistake me for someone who needs or is asking for support. > > I already have the proposed patch available to me on my servers, I'm not > convinced it solves the issue, merely making it a *lot* more difficult to > exploit, however that was my 'first look' I have a lot more to understand and > think about and there are many more people of higher intelligence looking at > it than me. > > That said, I'm suggesting that given the amount of time this issue has been > around and that it was supposedly fixed many years ago, that one should > consider a special case backport for those that are not capable of creating > their own patches... and before throwing accusations around you should > consider how many times I have ever suggested that a particular bug gets > backported... If you can't be bothered to check, this is the first since I > started using FreeBSD in 2003.
Okay, lets cool this thread down. There are no accusations in this thread, and they are not needed nor welcome either. I am going to make a general note below, this is not something that is aimed at _you_ personally. My general note is about the policy we maintain to update supported systems. Once we are ready with the currently supported branches, it might be “simple” for “someone” (not the FreeBSD Security Team) to back port those changes into older -STABLE branches. I am stating that we not perse will do that. But if someone has time and effort to support such a change, it will be done. People like hps@ merge periodically to older branches that are officially no longer supported. That does not mean that they cannot do that, but that they have an interest in doing so, which is perfectly fine (ofcourse). So; if the patch is applicable for older branches as well (stable I mean), someone needs to find a committer that can vouch for it and also import it into the stable branches. He or She has to understand that it might cause problems and they need to be investigated by that person in that case. If someone, who is commercially using our Operating System, has an urgent need to have this in a -STABLE branch, I am sure that a few bucks here and there can make it worth someone’s (free) time to support that. That’s the way it works, we volunteer for this project, and we do understand that people are using our product and even in a commercial sense where people make a -lot- of money with “our” work. That is perfectly fine. But we have to draw a line in what we can and will support. We also have families, hobby’s, other work that obviously also costs time and generate our income(s). Even with that we are happy to work on the project, and thus the “product” that we ship. But there is a line. There is no more hours in a day then 24. We have to devide that in all those regions we are active in. That is where the support policy comes in, we accept the fact that we maintain and support releases and stable branches after we created them. We do that for a limited amount of time, so that we can have a good division between new products, and our other activities. So if someone wants to keep a committer/programmer active while he could have been playing with his kids, it should be worth his/her while (in addition to the work he/she already does for the project) and it’s for the committer to decide whether that is indeed worth the while. Perhaps a committer is already being payed by someone to do this and he or she will just do it “for free”, then everyone benefits and we have to thank the sponsor for that. So given the above, and now I am responding to your request, I do not think we should break our tradition. There are many things that are not fixed in older branches, OpenSSL comes to mind, we simply have to make a choice in what we can and cannot do, and be open about that. Branches that are no longer supported, will not get official fixes anymore. A committer is free to do so, with the note that it -might- cost a few bucks to get that going. I hope the above is making it a bit more clear on why we have to draw a line somewhere, and what it might take to get it in the STABLE branches. It can be done, but you need to find someone who can do that, with potential consequences. Thanks, Remko > > -- > Michelle Sullivan > http://www.mhix.org/ > > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
signature.asc
Description: Message signed with OpenPGP
