[Tfug] "secure by default" ??
Jeremy C. Reed
reed at reedmedia.net
Wed Feb 8 20:05:59 MST 2006
On Wed, 8 Feb 2006, Ammon Lauritzen wrote:
> Along those lines, when I was installing Apache, I discovered a
> pre-existing 1.3.29 installation. Which, while it wasn't turned on and
> running without my permission, is still an obsolete server version
> lacking needed fetures that is on the machine without my approval. It
> was also not installed via the pkg system, ie, there is no easy way to
> remove it short of tracking down offending files and removing them
> individually.
OpenBSD's httpd is in the default install. If you installed OpenBSD, it is
installed with your approval.
Remove the files if you want.
> I am led to understand that this is supposedly a 'hardened' version of
> the application and is supposed to be one of the winning features of the
> operating system. But, why haven't they at least updated to the 2.0
> line? After all, 2.0.0 was released almost four years ago. 1.3.29 is
> more than two years old, and there have been numerous security
> advisories and associated updates made to the 1.3 line since then.
This is discussed many times in OpenBSD archives. OpenBSD doesn't like
Apache's license.
Apache would not take back OpenBSD's many improvements.
So now OpenBSD's httpd is not Apache anymore. In fact, I started working
on porting it back to Linux to use instead of Apache's version -- because
I trust OpenBSD's version more.
> How am I supposed to believe that their version of 1.3.29 is actually
> safe when it tells me otherwise? I don't like black boxes. Avoidance of
> such is kind of one of the big points of open source in the first place, ne?
What tells you otherwise?
As for the OpenSSL, check the CVS logs or OpenBSD change logs. OpenBSD
does update the code for bug fixes. Changing the version is not always
done, because that would possibly conflict with OpenSSL's own changes (nad
they could have incompatible features). This is normal and I have seen
other operating systems do the same.
Jeremy C. Reed
BSD News, BSD tutorials, BSD links
http://www.bsdnewsletter.com/
More information about the tfug
mailing list