[Tfug] "secure by default" ??

Jeremy C. Reed reed at reedmedia.net
Wed Feb 8 20:05:59 MST 2006 

On Wed, 8 Feb 2006, Ammon Lauritzen wrote:

> Along those lines, when I was installing Apache, I discovered a
> pre-existing 1.3.29 installation. Which, while it wasn't turned on and
> running without my permission, is still an obsolete server version
> lacking needed fetures that is on the machine without my approval. It
> was also not installed via the pkg system, ie, there is no easy way to
> remove it short of tracking down offending files and removing them
> individually.

OpenBSD's httpd is in the default install. If you installed OpenBSD, it is 
installed with your approval.

Remove the files if you want.

> I am led to understand that this is supposedly a 'hardened' version of
> the application and is supposed to be one of the winning features of the
> operating system. But, why haven't they at least updated to the 2.0
> line? After all, 2.0.0 was released almost four years ago. 1.3.29 is
> more than two years old, and there have been numerous security
> advisories and associated updates made to the 1.3 line since then.

This is discussed many times in OpenBSD archives. OpenBSD doesn't like 
Apache's license.

Apache would not take back OpenBSD's many improvements.

So now OpenBSD's httpd is not Apache anymore. In fact, I started working 
on porting it back to Linux to use instead of Apache's version -- because 
I trust OpenBSD's version more.

> How am I supposed to believe that their version of 1.3.29 is actually
> safe when it tells me otherwise? I don't like black boxes. Avoidance of
> such is kind of one of the big points of open source in the first place, ne?

What tells you otherwise?

As for the OpenSSL, check the CVS logs or OpenBSD change logs. OpenBSD 
does update the code for bug fixes. Changing the version is not always 
done, because that would possibly conflict with OpenSSL's own changes (nad 
they could have incompatible features). This is normal and I have seen 
other operating systems do the same.

 Jeremy C. Reed

 	  	 	 BSD News, BSD tutorials, BSD links
	  	 	 http://www.bsdnewsletter.com/

More information about the tfug mailing list