Hacker News new | ask | show | jobs
by andrehacker 203 days ago
>> Or you can go like Netflix and just run as close to -CURRENT as you can.

The point is that for any system that has a publicly facing (internet) part you will have to keep up to date with known vulnerabilities as published in CVEs. Not doing so makes you a prime target to security breaches.

The FreeBSD maintainers do modify FreeBSD to address the latest known vulnerabilities.... but you will have to accept the new release every 3 months.

Aditionally, those releases do not only contain FreeBSD changes but also changes to all third party open source packages that are part of the distribution. Every package is maintained by different individuals or groups and often they make changes that change the way their software works, often these are "breaking" changes, i.e. you will have to update your application code for it to be compatible with that.
2 comments
wkat4242 203 days ago
> Aditionally, those releases do not only contain FreeBSD changes but also changes to all third party open source packages that are part of the distribution

No they don't. Only major releases so, which are once every 2 years or so. And the old ones stay supported until the release after that. There's always two major releases in support. So you have about 4 years.

link
toast0 203 days ago
> The point is that for any system that has a publicly facing (internet) part you will have to keep up to date with known vulnerabilities as published in CVEs. Not doing so makes you a prime target to security breaches.

Sure, you have to be aware of them, but for something like this [1], if you don't use SO_REUSEPORT_LB, you don't have to take any further action.

The defect is likely in other FreeBSD releases that are no longer supported, but still, if you don't use SO_REUSEPORT_LB, you don't have to update.

If you do use the feature, then for unsupported releases, you could backport the fix, or update to a supported version. And you might mitigate by disabling the feature temporarily, depending on how much of a hit not using it is for your use case. Like I said, you have to be prepared for that.

You can also do partial updates, like take a new kernel, without touching the userland; or take the kernel and userland without taking any package/ports updates.

Some security advisories cover base userland or ports/packages... we can go through an example one of those and see what decision criteria would be for those, too.

[1] https://www.freebsd.org/security/advisories/FreeBSD-SA-25:09...

link